Aug 222017

If anybody feels that an organisation may have failed to follow the Data Protection Act whilst dealing with their data, they can ask the ICO for an assessment about whether that processing is likely to have been OK or not, under S42 of the Data Protection Act. The ICO are obliged to respond unless they need the subject to supply more ID or more explanation as to what processing the subject’s concerned about. Those are the ONLY exemptions the ICO can use to avoid having to undertake a S42 assessment.

S42.2 On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to—
(a) satisfy himself as to the identity of the person making the request, and
(b) enable him to identify the processing in question.

It is usually a good idea for the data subject to complain to the data controller before bothering the ICO. It’s often probably the best way to get the issue resolved speedily and with the least of fuss, to the benefit of both the data controller and the data subject. It also means that the ICO are less likely to be swamped with S42 requests about stuff that could have been sorted a lot easier by a simple email.

However, that isn’t appropriate in all cases.

My reading of the Act is that the ICO are under an obligation to respond to a data subject’s S42 request for assessment irrespective of whether the data subject has complained to the data controller. The ONLY factors they can take into consideration as to whether they must undertake an assessment or not, is whether they have enough ID to be confident the data subject is who (s)he says (s)he is, and whether they’ve been given enough information to identify the processing in question.

S42 lists other factors that the authority can take into account – but these factors are only to be taken into account when considering how the authority will go about the assessment, not IF they will undertake an assessment. They still have to do the assessment, irrespective of these factors. But in any case, these factors do not include whether or not the data subject has made a complaint to the data controller.

S42.3 The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include—
(a) the extent to which the request appears to him to raise a matter of substance,
(b) any undue delay in making the request, and
(c) whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.

So as far as I’m concerned, the law does not give the ICO latitude to insist data subjects complain to the data controller before submitting a S42 request. It doesn’t allow the ICO to refuse to undertake an assessment where the data subject hasn’t submitted a complaint direct to the data controller.

I submitted a S42 request recently, having not complained to the data controller first. The ICO responded:

I note that you also sent us a copy of an email received from ‘Charity Checkout’, which appears to be a trading name of ‘Online Giving Ltd’.  There is no other copy correspondence to show that you have raised a concern with ‘Online Giving Ltd’ in writing and allowed time for its response. You would need to do this before the ICO could progress any concern about this third organisation.

I remonstrated:

This approach is not in compliance with obligations under S42 of the Data Protection Act, which states:

I parroted the above in detail, showing that the ICO cannot legitimately insist on subjects complaining to the controller before the ICO is obliged to conduct an assessment.

It always bugs me when the ICO state that they will not make a S42 assessment unless the data subject has raised their concern with the data controller. This is evidently ingrained and standard practice in the ICO, but it has no basis in law. No doubt the ICO would like it to be in the law, acts as if it is the law and doubtless often it achieves a speedier resolution if the data subject  complains to the data controller, but the fact is that the Information Commissioner is obliged to undertake an assessment whether or not the data subject has raised their concern with the data controller.

As the ICO expects and requires data controllers to comply with the detail of the Data Protection Act, it should do so itself. S42 does not give the Commissioner the right to reject S42 requests on the basis that the data subject has not raised a concern with the data controller. That’s the letter of the law, and the ICO should comply with it.

Please register a complaint that the ICO’s standard practice in this specific is not in compliance with the Commissioner’s obligation under S42 of the Data Protection Act.

They gave their final response:

You are dissatisfied with this approach and do not consider that section 42 of the Act allows the ICO to require that you contact the organisation prior to requesting an assessment.

My Findings

The requirement for individuals to have raised their concerns with the organisation involved is part of the ICO’s operational policy, rather than being written into the legislation.

You will appreciate that the ICO has limited resources, and we cannot take action in response to every concern reported to us. Ultimately our role is to improve information rights practices, and we put our efforts into taking action in those areas where we can make the biggest improvement to the practice of those we regulate. We are an independent body and do not work on behalf of individuals

As explained on our website, we believe that the organisation responsible for a data protection matter should deal with it in the first instance. We expect organisations to take concerns seriously and work with the data subject to try to resolve them. Most organisations will want to put things right when they have gone wrong, and learn from complaints that are raised with them – further, it is best practice for them to have an effective complaints procedure.

If the organisation has been unable, or unwilling, to resolve an information rights concern, the data subject can then raise the matter for us to evaluate whether there is an opportunity to improve information rights practice.

For all of these reasons we are committed to giving organisations the opportunity to respond to public concerns before they are raised with us as the regulator.

I trust that this explains our approach.

Well yes, it explains their approach, but it doesn’t explain how their approach complies with the legislation, which was the sole point in my complaint. “We think our approach is better” isn’t a valid response to a complaint that said approach is not in accordance with their legal obligations.

However, they have successfully stonewalled me through their single-stage complaints procedure, so they won’t consider the issue any further. I wouldn’t want to bother the ombudsmen, partly as I haven’t experienced sufficient harm and in any case, as the ICO pointed out – “If your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you.” The only further avenue suggested was, “If you want to challenge our interpretation of the law, you should consider seeking legal advice.” They presumably know that it doesn’t merit that.

I’m therefore reduced to publishing a whiny blog explaining how I’ve been wronged, on an obscure part of the Internet where nobody will read it — similar to the likes of Alan Dransfield.

But I still think I’m right, that the ICO are failing to comply with their legal obligations, and that they have succeeded in their intent of stonewalling me throughout the statutory procedures ostensibly designed to make sure they take on board complainants’ legitimate concerns and change accordingly. (Again, just like Dransfield. Perhaps we’re long-lost relatives or something.)

Feb 152017

Section 50 of the Freedom of Information Act gives requesters the right to ask the Information Commissioner to decide if a public authority’s handling of the requester’s Freedom of Information Request is in compliance with the Act.

Application for decision by Commissioner.

(1)Any person (in this section referred to as “the complainant”) may apply to the Commissioner for a decision whether, in any specified respect, a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements of Part I.

Here’s the bit I’m interested in: (my emphasis)

Any person … may apply to the Commissioner for a decision whether, in any specified respect, a request for information made by the complainant to a public authority has been dealt with in accordance…

I don’t think the Commissioner complies with this, and I think she / her office should.

Here’s a current example, in which the ICO is refusing to decide whether an authority’s handling of my request complied with the Act in my specified respect – whether they were correct to use the S43 exemption:

In January 2015, as part of my campaign to make Leonard Cheshire pay carers the living wage, I put in Freedom of Information requests to many councils for details of how much they pay care providers including Leonard Cheshire. Surrey Council (alone, out of the 172 I surveyed) maintained that the S43 exemption (Commercial Interests), partly because they were currently undertaking a review of care home contracts.

In February 2016, on the assumption that the review would be over, I sent a new request for the original data. Their dilatory response of 19 April 2016 cited S43 again. I requested an internal review; their usual dilatory response of 21 July 2016 upheld S43.

On 29th June 2016, I sent the ICO a S50 request. It read, in its entirety,


Please can you conduct a S50 request:

1) failure to respond within 20 working days

2) inappropriate reliance on S43

I have given them every opportunity to respond, including requesting
an internal review, but they have neglected to so so.

Thank you

Doug Paulley

After Surrey had completed their internal review, the ICO contacted me to ask if I was still unhappy. I emailed them on 23rd July to say that I was most definitely still unhappy about their use of the commercial interests exemption and repeated my request for a S50 assessment. The ICO appointed an investigator, who emailed me on 20th September 2016, stating:

The focus of my investigation will be to determine whether the Council is entitled to rely on section 43(2) as a basis for withholding the information described in your requests

I was entirely clear in my initial S50 request, and throughout all following correspondence, that my S50 request was about their use of S43. I initially included their failure to respond within the deadline, but still it was clear throughout, and in both my S50 requests, that my concern was about the authority’s illegitimate use of S43.

On 6th February 2017 (nigh on a year after the request) Surrey Council released info that arguably satisfied the request:

Following on from the email below and subsequent correspondence with the Information Commissioner, given the passage of time, we are now able to confirm…

The Information Commissioner’s Office emailed me to say they would drop their investigation.

Surrey Council has now sent me a copy of an email it sent to you disclosing the range of fees for LCD as at the date of your request. This would appear to satisfy your request and I therefore now propose to close this case as having been informally resolved.

(One wonders if the Act allows them to unilaterally decide not to complete the S50 assessment.)

I wasn’t happy with this. I stuck to my guns on the S50 assessment. However the ICO then refused to look at the use of S43:

I will do a decision notice. It will be on the narrow issue of Surrey Council’s delay in providing the information to you.

I said: hang on, my S50 request was about their use of S43:

I appreciate your position, but it is clear that the substantial delay was caused by the authority’s inappropriate and prolonged reliance on the exemption. If you hadn’t intervened they wouldn’t have responded at all because they would have maintained that exemption. Writing a decision notice solely on the a time limit issue is disingenuous.

When I sent you my S50 request, back on June 29 2016, I asked you to conduct a S50 assessment into “1) failure to respond within 20 working days 2) inappropriate reliance on S43.”

I didn’t ask you to take 7.5 months to persuade the authority to release the information, then to count the case as closed; then on my remonstration to write a decision notice solely about their delay in response. I asked you to do a DN about their delay, and the fact that they inappropriately used S43.

I appreciate you always prefer an informal resolution to requests as being better all round, but in this case it’s not acceptable. They are dodging the issue by saying that the time since the request has meant they can release the information. This gives me no confidence whatsoever that when I ask for updated information they will supply the information.

Don’t just do a DN about delay. Do it on their S43 refusal also.

Once again the ICO flat refused:

I consulted with senior colleagues regarding your concern about the position I set out for you: namely, that we will do a decision notice addressing the delay in response. They have agreed with my position and I do not intend to change my approach.

If you wish to challenge the scope of our decision notice in that regards, you will be able to appeal the decision notice to the First-tier Tribunal (Information Rights).

I quoted S50 again, and in no uncertain terms set out what I believe is the Information Commissioner’s obligation in the Act:

I require the Information Commissioner to make a decision as to whether the authority’s reliance on the S43 exemption was legitimate. As the complainant, I specify that specific: that is my “specified respect”.

I appreciate that you have asked your seniors, but frankly they are not infallible and in this instance they are wrong. The Information Commissioner does not have the ability to pick and choose whether to respond to the “respect” specified by the complainant.

Please register and investigate a complaint under your complaint procedures that the Commissioner is refusing to comply with her legal obligation set out in the Act to make a determination as to whether the authority was legitimate in refusing to provide the Information for 11 months because they believed S43 was engaged.

Should the Commissioner either not respond to this complaint, or respond but not rescind the decision to ignore the respect I specified, I will apply for a judicial review, in order to ensure that the decision notice addresses the specific point I raised and to ensure that the Commission re-evaluates their obligations set by the Act.

But the Commissioner’s office still refused.

Thank you for your further comments. I will ensure that your comments are passed on to my line manager, [name redacted], who is a Group Manager at the ICO. However, I should be grateful if you would complete our complaints form…

I will, in the meantime, continue to draft a decision notice in the terms previously explained. I acknowledge that you disagree with the scope I have outlined.

I shall send the complaint; and, given that she is continuing to draft the decision notice, I will apply for judicial review; and when they issue the decision notice, I will go to the FTT if need be. But I must say I do think this is ridiculous.

I was perfectly clear all along that my S50 application was for an IC determination as to whether the authority’s use of the S43 exemption was engaged. S50 states that the ICO must decide whether the authority’s actions were compliant with the Act “in any specified respect”. To my mind, the IC is not legitimate in deciding for themselves what they will and will not decide.

I don’t know the Tribunal and Appeal Court decisions in this area – but to me the law is clear, and the IC are wasting their ever-dwindling resources fighting my request for no good reason…

…Or am I barking up the wrong tree?!

Data controllers’ compliance with Section 10 notices: the ICO now assess.

 ICO, Information governance  Comments Off on Data controllers’ compliance with Section 10 notices: the ICO now assess.
Sep 202016

I’ve written previously about the Information Commissioner’s assessment of organisations’ compliance with S10 notices. S10 is a mechanism by which a data subject can force a data controller to stop processing his/her personal data, or stop it from processing in a certain way, where such processing is causing substantial, unwarranted damage or distress.

Previously the ICO has always insisted that they can only assess organisations’ technical compliance with S10(3), i.e. whether the organisation has responded to the notice and whether such response was within the 21 day timescale. The ICO would not consider whether the organisation had broken the law by failing to comply with a valid notice.

The ICO have now changed their policy. The attached Lines to Take document now states:

an individual may make a request for an assessment under s.42 of the DPA where:

  • A data controller has not responded to a notice at all.
  • A data controller has not responded within the 21 day timeframe.
  • A data controller has not provided its reasons for refusing to comply with a notice.
  • A data controller has failed to comply with the data subjects request to cease processing.

That last point is new!

This draft Casework Advice Note goes into more detail.

Section 10(4) refers to the power of the court to order compliance with a section 10 notice.
The Commissioner is still able to make a s42 assessment on processing that may be in breach of the sixth principle (complying with a section 10 notice).

Failure to comply with a justified notice or failure to respond to a valid section 10 notice is a breach of the sixth principle.
The Commissioner can make an assessment of whether processing has been or is being carried out in compliance with the provisions of the DPA – in this case a breach of the sixth principle arising from a failure to comply with a data subject’s section 10 rights.

We can make an assessment of:

  • any non-compliant processing causing unwarranted damage or distress which means that the notice is justified; and/or
  • the data controller’s compliance with the procedural obligations under 10(3) to:
    • respond within 21 days of receiving the objection;
    • explain whether it intends to comply with the objection; and,
    • if it does not intend to comply with the objection in some way, give reasons for the decision.

You CAN also:

  • carry out a s42 assessment on whether the data controller has complied with its obligations under s10(1)

They’ve put “CAN” into Bold for the following reason (also in the draft Casework Advice Note):

Problems with the previous line on ASK knowledge base
The previous line said that:

‘the only situation where the ICO can get involved with a request made under section 10 is where the organisation hasn’t provided any response within 21 days, we cannot assist with any matters relating to compliance with the request….’

This line may have arisen as a result of our preferences or priorities in terms of the types of complaints we take on as an office where there is a technical limitation on our legal powers, or iit may be that we decided for operational reasons that we would not make assessments on a data controller’s compliance with their section 10(1) obligations.
Just because s10 refers to the powers of the court to order compliance with a section 10 notice does not preclude the Commissioner from making an assessment on processing that is in breach of principle 6.
Other sections of the DPA that relate to principle 6 refer to the order making powers of the court. For example, section 7(9) allows the court to order compliance with a SAR, but wouldn’t prevent the Commissioner from making her own assessment on whether or not a data controller should comply with a section 7 request.

It would seem that I have forced the ICO to reconsider their approach. Their internal dialogue on my complaint is entertaining. I particularly like the implied criticism:

In the present case, rather than referring his complaint about Sky’s processing to the Commissioner for an assessment, the data subject has tried to sort out the matter himself by issuing a section 10(1) notice.

How irresponsible of me 😀

Proof of email server receipt = proof of receipt of FOI request

 ICO, Information governance  Comments Off on Proof of email server receipt = proof of receipt of FOI request
Nov 282015

The ICO has decided in decision notice FS50559082 (yet to appear on the ICO’s website, so for now check the annotation on WhatDoTheyKnow) that server logs indicating receipt by a public authority’s email server constitute persuasive proof that the authority received the request.

12. The Commissioner notes that there is evidence to show that around the period the request was made the Cabinet Office was having difficulty receiving emails from the Whatdotheyknow site. However, the Commissioner was given confirmation from the Whatdotheyknow website that the request in this instance was received by the Cabinet Office’s email servers.

13. The Commissioner considers that there is sufficient evidence to show that the Cabinet Office had received the request on the date it was sent by the complainant.

In this case, the Cabinet Office’s email MX server in receipt of the email i by Symmantec’s “Message Labs” cloud-based email security platform. It is possible that the request was lost in Symmantec’s system and not the Cabinet Office (perhaps falsely classed as spam.)

WhatDoTheyKnow always keep email server logs (barring any exceptional technical problems) and so administrators are always able to prove the authority’s receipt of the request. (We have suggested that this information should be directly available to our users.) Similarly, my website hosts (Penguin UK) keep email server logs for a limited period and customers can get a copy of the log entry in question. I should imagine that other hosts using CPanel should offer the same facility.

When making FOI requests by email (or perhaps even when making subject access requests), requesters may wish to get and keep a copy of the mail server log proving the body’s receipt of the request – particularly where the body doesn’t issue automatic acknowledgements of such emails and/or has a …. patchy record of compliance with the Act, like the Cabinet Office.

H/t JT Oakley / @jatroa for pursuing this issue.


Oct 152015

A few weeks ago, I raised the question of what payment mechanisms a data controller must accept for the payment of the £10 fee for a Subject Access Request. I have had a somewhat protracted discussion with the ICO since – see the addendum to my original post. The Information Commissioner’s Office have finally come up with their fully-formed opinion on this, as below:

We have received some further guidance from our policy team who have clarified the situation with regards to SARs and when a fee should be accepted.

As I have previously stated if an organisation do not have the facilities to accept a fee by a certain method then they would not need to create one, as per my previous example regarding PayPal.

In general there is no legal obligation on a data controller to accept a particular method of payment. A data controller can express a preference as to the payment method it would accept, and the data subject should normally comply with this preference where it is reasonable to do so. As we have advised before though, the data controller may on occasion have to have regard to compliance with disability discrimination requirements.

It is also possible for a data subject to express a preference, but, as a payment is to be made to the data controller, agreement would have to be reached with the data controller that this is an acceptable method of payment. The data subject is not able to insist that any recognised legal method of payment should be acceptable to the data controller. Consequently, there is no requirement for the data controller to accept any form of payment just because that is the preference expressed by the data subject.

However, the right of subject access is a basic, fundamental right. This means that it must be sufficiently easy for a data subject to make payment to a data controller in order to exercise that right. Although there may be some cash-only businesses that do not have the facility to process card payments, we believe that the vast majority of organisations do have this facility. Where this is the case, the controller should accept card payments for subject access in order to facilitate the applicant’s request. We would consider it obstructive for the controller to refuse card payments for subject access where it makes and receives card payments for other purposes. The same is true of bank transfers and other payment systems.

My basic tl;dr of the above is that organisations can dictate which mechanism they want applicants to use to pay the SAR fee and the requester can’t override this, though the organisation might have to make a reasonable adjustment for a disabled person and in any case if they have the ability to take payments for other things by alternative mechanisms the ICO would consider them to be obstructive if they don’t accept SAR fees by them. What consequences for the organisation would be had by the ICO thinking them being obstructive isn’t listed, but I suspect naff all, frankly.

The above seems to be at odds with the ICO’s DPA Lines To Take document on SAR fees (.doc file), which says:

If a data subject provides the correct fee in a format which is legally recognised in the UK to denote payment eg cash, cheque or postal order etc. and assuming that they have correctly provided all the other elements of a subject access request eg adequate identification etc, the moment the data controller has received the request (section 7(2)), its obligations under section 7 begin.

A data controller does not have to accept the payment, but the obligation begins nonetheless – acceptance is not a condition of receiving. A data controller is well within its rights to state a preference for a particular format of payment, but it cannot demand it.

To me, that doesn’t fit with what the ICO has just written in the above email to me:

In general there is no legal obligation on a data controller to accept a particular method of payment. … The data subject is not able to insist that any recognised legal method of payment should be acceptable to the data controller. Consequently, there is no requirement for the data controller to accept any form of payment just because that is the preference expressed by the data subject.

Clear as mud to me…

Aug 172015

There’s a paucity of guidance on what mechanisms organisations must offer when charging the £10.00 SAR fee. It bugs me when an organisation accepts payments for other services via card payments and/or bank transfer, but insist on cheques for subject access requests.

The only related guidance I can find is the ICO’s DPA LTT on payment mechanisms for SAR fees, which says that an organisation must act as if the fee has been paid if it’s been sent in a commonly acceptable form, so for example if the organisation tries to insist on payment by card but the requester posts a cheque, they must still process the SAR even if they don’t cash the cheque. The difference is that receiving the cheque doesn’t require any co-operation from the organisation, it’s essentially passive. To pay the fee by card the organisation would have to operate their card machine etc.

So I’ve sent the ICO the following email, but if anybody happens to know of other guidance please do let me know!

Please can you tell me what payment methods an organisation should offer for payment of the £10 SAR fee?

Please can you provide any guidance on this subject? I can only find this DPA LTT which addresses a subtly different question.

In specific, can an organisation insist on SAR fees being paid by cheque, even if they accept payment by card and bank transfer for other elements of their business? I hate cheques; they can go missing in the post, they take time to clear, it’s a pain for me to get to the pillar box in my wheelchair, and they’re very out of date. Is there best practice or statutory or other guidance that says that a company must accept payment by other mechanisms where these are already in use in other areas of their business?

Could I just transfer £10.00 into their account via bank transfer and present them with a printout proving I’ve done this as a fait accompli?

ADDENDUM 11th September

Correspondence with the ICO has provided some elucidation. It has taken a little while, though…

ICO to me: 28th August 2015:
An organisation is able to specify a preference with how they receive the fee. Ultimately as long as they allow the individual a method of payment, then this is likely to be acceptable.
For example, there may be reasons why an organisation are unable to accept payment for SARs via card. This may be because card payments have to show that you are paying for goods etc, and that their systems may put constraints in place that would not allow them to take SAR payments.
I therefore suggest that you contact the organisation and ask them the reasons why they cannot accept payment via card and if there is any other alternative to paying by cheque.
However, there are unlikely to be issues as long as they allow you to make a request and provide some way for you to make a payment.

Me to ICO: 28th August 2015:
Your DPA LTT says that an organisation must act as if they have successfully received payment when proffered, even if it isn’t done so using their preferred payment mechanism. The difference is, I guess, that when paying by card the organisation has to actively participate in the transaction, instead of passively receiving a cheque or cash. Is that the difference between your reply and the LTT?
In my specific case, my SAR was to (X company). They give bank details for (X purpose). I transferred £10.00 into that account and emailed them the transfer details, explaining that it was the SAR fee. Could you please confirm if based on your LTT I have paid them the fee and they are now under obligation to supply the info?

ICO to Me: 2nd September 2015:
As previously mentioned an organisation can specify how they would like to receive a payment for a SAR. As long as they offer you a method that allows you to pay then they are unlikely to be doing anything wrong.
As you have paid the fee via bank transfer, in to an account for (X purpose), and you wish to know whether they are obliged to accept this payment.
Essentially, if they do not accept payment for subject access via this account, and have offered you an alternative way of paying, then there are not going to be obliged to accept the payment. This is because they may not have the facilities to transfer the payment in to the correct place. These constraints may mean that they are unable to process your fee.
We would therefore advise that you contact (X company) and ask them if the payment has been received. If they are unable to process the fee this way then we would consider that you would need to pay the fee via the methods that they offer and it would not be a valid SAR until this happens.

Me to ICO: 2nd September 2015:
Thanks for your opinion on this. As I understand it your response is that (X company) don’t have to consider my bank transfer into an account that they probably don’t use for SAR fees as valid. “As long as they offer you a method that allows you to pay then they are unlikely to be doing anything wrong.”
The reason I am querying is that the Information Commissioner’s Office’s DPA “Line To Take” document “SAR fee – acceptable payment types” says this:

  • Background
    If a data subject provides the correct fee in a format which is legally recognised in the UK to denote payment eg cash, cheque or postal order etc. and assuming that they have correctly provided all the other elements of a subject access request eg adequate identification etc, the moment the data controller has received the request (section 7(2)), its obligations under section 7 begin.
  • Line to take
    A data controller does not have to accept the payment, but the obligation begins nonetheless – acceptance is not a condition of receiving. A data controller is well within its rights to state a preference for a particular format of payment, but it cannot demand it.

So your guidance says that if I turn up in person at their offices with a £10 note to pay my SAR fee, then (X company) are judged to have been offered payment and must process my SAR, even though they say they only accept cheques for such payment.
I guess I’m asking where the line is drawn between when a payment of a SAR fee is deemed as having been properly offered, thus putting them under the obligation to respond. What’s the difference between me turning up at their office with a £10 note, and me electronically transferring £10 into their bank account? They’re both mechanisms that they don’t offer or want people to use, but certainly in the latter case (physically bringing £10 cash) your guidance says they have to act as if they’d been paid the fee.
I guess I’m asking for a line. Turning up at the office with a tenner = fee considered paid (even though they want people to pay by cheque). Offering to pay by credit or debit card, given that this is “a format which is legally recognised in the UK to denote payment” = fee not considered paid? Direct transfer into bank account = fee not considered paid?
Where’s the line?

ICO to me: 11 September 2015:
I have sought further advice on this and our view would be as follows –
If a payment is made via a non-preferred method, in this instance by bank transfer, then as long as you have provided or offered the payment in legal tender, they would need to comply with your request.
The only difference to this would be if you were trying to pay via a method that they have no means of accessing. For example, if you wished to pay via PayPal and they didn’t actually have a PayPal account, they would not be expected to create one.
Therefore, if you have made the bank transfer in to one of (X company’s) bank accounts, even though this would not be their preferred method of payment, they would need to deal with your request as you have provided them with a valid fee.
I hope this clarifies the matter and I must apologise that the advice may have been contradictory.

Me to ICO: 11 September 2015:
Thank you, this is interesting and useful.
I wonder if I could ask the ICO to define the line even more clearly. You’ve established that transferring £10 into their bank account means they have to comply with my SAR; but that is essentially a passive act on their behalf. I am wondering if they should have to co-operate in other mechanisms.
They accept payment (for X purpose, unrelated to SARs) by debit and credit cards. As they use this mechanism, would they have to accept payment of the £10 SAR fee by debit or credit card if I told them that’s how I would like to pay it?

“promptly and in any event…”

 ICO, Information governance  Comments Off on “promptly and in any event…”
May 242015

The Freedom of Information Act 2000 section 10(1) says:

a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.

In their guidance on time limits for compliance with the Freedom of information Act, the Information Commissioner’s Office maintains that the requirement to respond “promptly” is separate and additional to the duty to respond “not later than the twentieth working day”:

21. The obligation to respond promptly means that an authority should comply with a request as soon as is reasonably practicable.
22. Whilst this is linked to the obligation to respond within 20 working days, it should be treated as a separate requirement.
23. An authority will therefore need to both respond promptly and within 20 working days in order to comply with section 10(1).
24. Authorities should regard the 20 working day limit as a ‘long stop’, in other words the latest possible date on which they may issue a response.
25. It also follows that an authority which provides its response close to, or on, the final day of the 20 working day limit ought to be able to both account for, and justify, the length of time taken to comply with the request.

Fine and dandy so far; “promptly” and “not later than the 20th working day” are separate.
The Data Protection Act section 7(8) says:

a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

Ah, “promptly and in any event“, that phraseology is familiar. So I guess that these are two separate requirements, yes? Authorities should respond to simple / easy Subject Access Requests under the Data Protection Act “promptly” and thus well before the “prescribed period” (40 days) long stop, yes?
Here’s what the Information Commissioner’s Office has to say in their Subject Access Code of Practice.

The duty to comply promptly with a SAR clearly implies an obligation to act without unreasonable delay but, equally clearly, it does not oblige you to prioritise compliance over everything else. The 40-day long-stop period is generally accepted as striking the right balance in most cases between the rights of individuals to prompt access to their personal data and the need to accommodate the resource constraints of organisations to which SARs are made. Provided that you deal with the request in your normal course of business, without unreasonable delay, and within the 40-day period, you are likely to comply with the duty to comply promptly.

So for SARs the ICO defines “promptly” as “within the 40-day period.
I asked the ICO about this, and they said:

Having considered your request, we have come to the view that any differences to the text in the guidance you cite are superficial rather than of any real substance, and simply reflect the fact that they were drafted by different people at different times, about different legislation, hence are not identically worded.
Although the promptness reference is explained in slightly different terms in our data protection and freedom of information guidance we do not consider that there is any difference in the position we take. Both are explained as being ‘long-stop’ provisions, indicating that 20 or 40 working days is the maximum amount of time that can be taken to respond. The FOI guidance states that public authorities will need to be able account for or justify the length of time taken to comply and the DPA guidance states that SARs need to be dealt with both within 40 days and without unreasonable delay. This goes to the same point, that the time taken to respond has to be reasonable/justifiable as well as within 20/40 days in order for the response to be considered as prompt.

I respectfully disagree. The ICO’s FOI guidance states that authorities will have to prove that they comply with both the requirement to respond “promptlyand the requirement to respond “not later than the twentieth working day“. Yet the ICO’s SAR Code of Practice states that provided a data controller has responded within the 40 working day limit, they will automatically have complied with the duty to respond “promptly“.

A mountain out of a molehill, perhaps, an esoteric difference – but I wonder why the ICO are taking the line that responses to subject access requests don’t have to be supplied any more promptly than 40 days. If Parliament had meant purely “within 40 days” they would no doubt have said just that and left the “promptly and in any event” out. No doubt that’s the ICO’s reasoning for time limits for Freedom of Information. So why so different for Subject Access Requests?

No doubt there are more important things to worry about, I know, but this bugs me. I’ve got it out of my system for a while now, I’ll shut up, don’t worry.


The esteemed Jon Baines has drawn my attention to the Tribunal caselaw on the subject.

Jon Baines’ blog on the subject is informative. My summary of the Judge’s decision is this:

  • It takes time to do a proper FOI response, check it throughly and do a good job
  • Promptly” doesn’t mean immediately, it is more akin to “without delay
  • In the case he was looking at, it had been responded to “promptly” because it was “well within” the 20 working day limit
  • There may be other cases where an authority will have to account for the time it took to respond

I guess that this says that there “may” be times when the Authority hasn’t responded “promptly” even where it has met the 20 working day long stop so is in keeping with the ICO’s guidance on FOI timescales, but it’s not exactly definitive…

%d bloggers like this: