Information Commissioner’s Office’s internal guidance

These are the Information Commissioner’s Office’s policy Lines to Take and other guidance used by ICO caseworkers and policy workers when assessing issues under various information governance regimes. They are broadly split into three sets:

Freedom of Information Act Lines to Take

These are the current Freedom of Information Lines to Take (LTT) documents as of 10th March 2016. The ICO directed me to an archive of the LTTs from 2012, a list of the LTTs that have been withdrawn before 2015 and before March 2016, and updated LTTs where they have changed since 2012. (There have been no new FOI LTTs.) I have indexed and summarised them below. These constitute current copies of all the LTTs; results from the Government’s archive website are confirmed as current. Where a FOI number has a * that indicates that this LTT has been updated since 2012 and the link is therefore to a PDF or a .DOCX. Where a LTT number is missing, that LTT has been withdrawn. The ICO are in the process of eradicating LTTs as they place the guidance they contain, into public guidance documents.

NB: LTT 146 and LTT 215 as supplied to me originally had formatting errors that made them unreadable; the ICO has since provided a readable copy.

LTTFOI/EIRSection / RegulationTitle
1EIRreg 8(3), reg 8(4)Reasonable amount of charges under the EIRs
3FOIS1Information deleted after request
7EIRReg 2Town and Country Planning Act 1990
9FOIS16 S50Issues not raised by complainant
11FOI & EIRS3 reg 2District Auditors
16FOIS43Prejudice to contractual relations
18FOIS44Financial Services and Markets Act 2000
19FOIS30Applicability of section 30(1) (Investigations and proceedings conducted by public authorities)
20FOIS2, S30(1)Public interest factors for s30
21FOI & EIRS50 reg 18Exemptions and exceptions not claimed by a public authority
22FOIS21, S32Accessibility of court records
23FOIS44Police Act 1996
*25FOIS22, S19Inspection as a form of publication
26FOIS21Reasonably accessible information and publication schemes
27FOIS21Audit Commission Act 1998
29FOIS1, S10, S17, S50(4)Finding in breach of sections 1, 10 or 17
30FOIS31Disclosure of vehicle identification numbers
33EIRr12(6), r12(5)(a)Duty to confirm or deny in the EIR
*37FOIS21, S41, S44Access to medical and social care records of the deceased
45FOIS1Disclosure to public
55FOIS43Evidence from third parties
61FOI & EIRs2(1)(b), r12(1)(b), s35, s36, r12(4)(e)Advice to Decision Makers (weighing of the public interest test)
63FOI & EIRs17(1)(b), reg 14(3)Failure to specify an exemption/ exception on which the PA later relies
64FOIs24, s27, 30, s31Neither confirm nor deny
66FOI & EIRs35, s36, Reg 12(4)(e)Minutes & agendas
67FOIs30(1), s31Public interest in protecting information acquired during investigations
68FOIs24Required for purposes of national security
70FOIs31(1)(a)Public interest in preventing crime against individuals
71FOIs40(2), Reg13(2)Addresses of properties
80EIRReg 2(1)Defining environmental information
81FOIs31Parking enforcement
82EIRReg 2(1)Any information on
83EIRReg 2(1)Future likely effects
84EIRReg 2(1)Threshold of likely to affect and may be affected
87FOIS16, S45, Code of PracticeLimits of s16
88FOIs16, S45, code of practiceClarifying requests
*92FOIAllTime at which to apply provisions of the Act
100FOI & EIRs30, Reg 12(5)(b)Information pre-dating an investigation
114FOI & EIRs1(1)(a) and (b), Reg 5(1) and Reg 14(1)Assessing whether information has been communicated or made available
119FOI & EIRs11, s21, s39, Reg2(1), Reg6, Reg12, Reg14Inter-relation between s21 & s39 FOIA and the EIRs
122FOIs1, Reg 2(1)Documents containing both environmental & other information
*130FOI & EIRs35, s36, Reg 12(4)(e)‘Chilling effect’ arguments
131FOI & EIRs35, s36, Reg12(4)(e)Risk to the role and integrity of the Civil Service
134FOI & EIRs27(2)&(3),Reg 12(5)(a)Realistic expectation of confidentiality under s27(2) and (3)
135FOI & EIRs27(2), Reg 12(5)(a)Confidentiality and information “obtained from” under s27(2)
136FOI & EIRs27(1), Reg 12(5)(a)Nature of prejudice to international relations under s27(1) (and potentially applicable to Regulation 12(5)(a))
139FOIs30Extent to which information referred to in court (in criminal proceedings) is in the public domain
142FOIs16Specifying steps in relation to advice and assistance
143FOI & EIRs.21(1), 21(2)(a)&(b), Reg 6(1)(b)Reasonably accessible information
*146FOI & EIRs35, s36, 12(4)(e)Public Interest Test for “raw notes” and “aide memoire notes”
150FOI & EIRs1, s36, s40, Reg 12(4)(d)“Meta-requests” (requests about requests)
151FOIs21Examples where information is accepted as reasonably accessible to the applicant.
155FOIs33, s35Gateway Reviews are an audit function
157EIRReg 2Listed Buildings
158FOIs31(1)(g), s31(2)Functions exercised for specified purposes under section 31
162FOI & EIRs40(2) & reg 13Anonymising postcodes
178EIRReg 8(2)(b)A public authority shall not charge for allowing an applicant to inspect information
180FOIs38The endangerment test under s38
181FOIs30Information / Documents post-dating an investigation
183FOI & EIRs50, Reg 18Discretion to order no steps in a DN
184FOIs44Functions and statutory bars
187FOI & EIRs.1(1), s.10, s.17, reg. 5(1), 5(2), 11, 14Finding procedural breaches: gateway line
188FOI & EIRs.10, reg.5(2)Issuing a DN in relation to information already disclosed
189FOI & EIRs.10 / reg.5(2)Non-response cases
*190FOI & EIRn/aDecision notices ordering the PA to reconsider the request
191EIRReg 11Internal review under the EIR – issuing a DN requiring an internal review
192FOI & EIRs.1, s.12, s.14, reg.12(4)(a),(b) and (c)Rejecting procedural exemptions / exceptions
193FOIs1Finding that further information is held:approach to decision notices
194FOIs32Applying section 32: gateway line (court docs)
195FOIs32What is a ‘document’ for the purposes of s32
196FOIs32Using a dominant purpose test under sections 32(1)(c) and 32(2)(b)
197FOIs32Effect of the source and the use of information on engaging s32
198FOIS32(1) and (2)Applying s32 beyond the end of litigation / an inquiry
206FOI & EIRs1, s3, Reg 3(1), reg 5(1)Should an executive agency be regarded as a separate public authority?
207EIRRegs 8(1) & 8(8)Charging for environmental information: a schedule of charges is a prerequisite
208FOIs37(1)(b)Nature of the Honours Nomination Process and the Public Interests Inherent in s37(1)(b)
210FOIs10, s17Time extension for public interest test – procedural breaches
*215FOIs44Ombudsman’s or regulator’s statutory bars
*216FOI & EIRs3, reg 2(2)Investigating whether a body is a public authority
*217FOI & EIRs8, s11, s43Does a public authority have to respond to a request that would result in automatic publication of copyright material?
*225FOIs21Public domain: section 21 arguments
*229FOI & EIRs35, s36(2), r12(4)(e)Record keeping arguments
*230EIRRegs 2(2)(b)(i), 2(2)(c), 3(3) and 3(4)Coverage of the Houses of Parliament by the EIR
*233FOI & EIRs2, s40, reg 12, 13Effect of other means of scrutiny or regulation or access to information on the PI in disclosure
*234FOI & EIRs2, Part II exemptions (except s23, s32, s43), reg 12, reg 13Mosaic arguments


Advice Service Line to Take Documents

These are the Information Commissioner’s Office’s “Lines to Take” documents as of 10th March 2016 giving guidance to their advice services. I’d like to say that all typos in the documents are the ICO’s but I may have introduced errors; for the definitive version, check the original response or the ICO’s update. The summary is my own and may not be a fully accurate representation of the contents.

Interesting bits:

On self-incrimination. “An organisation does not have to comply with a subject access request to the extent which compliance would reveal evidence of an offence, (other than one under the DPA), which he could be exposed to proceedings for. Information provided in response to a subject access request cannot be used against a data controller in proceedings brought under the DPA.”

On the exemption for domestic purposes. “Section 36 provides an almost total exemption from the DPA. It exempts individuals from complying with all of the principles, all individual’s rights and notification. The only part of the DPA which still applies are the powers of the ICO, meaning the ICO could still investigate whether an individual had gone beyond the scope of the exemption.” Er… surely means that the only thing the ICO can investigate is somebody’s refusal to allow the ICO to investigate?!

The guidance for MPs and Constituents Complaints Files is apparently sensitive. “Internal guidance only. Whilst this information is freely available to Members, it is not published on our internet and it is asked that you do not share it verbatim with a requester.

TitleLegislationSubject areaContent Standard LetterDPAInternet and TechnologyThe division of the Electoral Roll into full and edited versions as of 2002. Objections to processing by and the general lawfulness of similar services.
1st Principle DPA – Fair and lawfulDPAOtherThe obligations on data controllers to give certain key information to data subjects.
4th principle DPA – Accuracy of Health RecordsDPAHealthWhen is a diagnosis a fact? How should disagreements over diagnoses be dealt with? How can diagnoses be challenged?
6th principle DPA – Rights of data subjectsDPAOtherThe 6th Data Principle is only contravened if the data controller contravenes sections 7, 10, 11 or 12 of the DPA.
7th principle DPA – Destruction of personal dataDPAOtherWhilst the Act doesn’t specify how confidential data should be destroyed, this is up to the data controller who must take care.
7th Principle DPA – SecurityDPAOtherThe duty to take proportionate care of data, and to make sure this is continued when delegating within the controller’s own organisation and in any data processor’s organisation.
8th Principle DPA – Countries with adequacyDPAOtherA list of countries that the ICO consider have adequate data protection laws such that personal data may be transferred to them under the 8th Principle
8th Principle DPA – EmbassiesDPAGovernment-centralIt used to be thought that our embassies abroad were our soil, but this isn’t the case. Foreign embassies on UK soil are part of the UK. The effect on the legality of transferring data is minimal if it’s an EU embassy or our embassy in a EU country, but not otherwise.
Access to Adoption RecordsDPAHealthThe specific statutory instrument that can be used to refuse access to data when disgruntled people ask for it following being turned down as potential adoptive parents.
Access to copies of a credit agreement, original signed copy, or bank statement.DPAFinanceThe obligation to provide copies of credit agreements, and what lenders can and can’t do whilst this is pending. The right to obtain a computer printout of transactions for the £10 fee as opposed to paying for reprints of statements.
Access to Court RecordsDPAPolice, legal & criminal justiceWhere court records are available using the Court processes at a fee, then SARs fail. Otherwise, as long as the info is personal data and in a relevant filing system, SAR applies.
Access to deceased persons’ medical recordsDPAHealthThe DPA doesn’t apply to dead people. Some health records may be obtainable under other legislation.
Access to information held by schools – maintained schoolsDPAEducationParents / guardians may request their pupil’s records under education regulations, the school must respond with 15 days. They can only do a SAR if they act on behalf of the child and the child doesn’t have capacity. A child with capacity can make a SAR.
Access to information held by schools – non-maintained schoolsDPAEducationAcademies and Free Schools don’t have the same obligations to provide pupil information to parents, though they do have to do a yearly report and are subject to SAR.
Access to Land Registry informationDPAGovernment – centralThe Land Registry give out personal data but this is in compliance with the Data Protection Act. A person can object using S10.
Access to proof of partners’ convictions / cautions by victims of domestic violenceDPAPolice, legal & criminal justiceVictims of domestic violence need proof of partners’ police and criminal records to qualify for legal aid; this is how they get it.
Access to solicitor’s files while under a lien.DPAPolice, legal & criminal justiceSolicitors may withhold documents if their clients haven’t coughed up their fees; however, they must still respond to SARs.
Access to the Register of Houses of Multiple Occupancy (HMOs) under the FOIAFOIGovernment – LocalPersonal data of landlords recorded on the register can be provided in response to FOI requests, but the local authority can exempt the register via S21 as they have to make it available for inspection and copy under other legislation.
Administrative calls and direct marketingPECRDirect marketingOrganisations can still contact individuals that have opted out of direct marketing, but only for administrative purposes, and mustn’t stray into promoting their services.
Appealing a DN (decision notice)FOIGovernment – centralIf the ICO have made a DN, parties can appeal to the first tier tribunal, but parties can’t go direct to the FTT without a DN.
Automatic Number Plate Recognition (ANPR)DPACCTV & optical surveillanceANPR systems record personal data, therefore organisations using this must comply with the DPA.
Basic DPA definitions -DC, DS, DP, Personal dataDPAOtherKey definitions of terms under the DPA.
BBC information available under FOIFOIOtherThe BBC only have to provide information purposes other than those of journalism, art or literature, and that’s interpreted very widely.
Biometrics in SchoolsDPAEducationProtection of Freedoms Act 2012 places controls on the use of biometric systems in schools.
Boarding Cards – is PD being processed?DPAOtherNot unless evidence proves different.
Body Worn Video (BWV)DPACCTV & optical surveillanceBecause body worn video is likely to be more intrusive, its use must be limited and there must be a privacy impact assessment.
Call RecordingDPAOtherCall recording – can a telephone conversation can be given out to the other person involved in the phone call.
CCTV in ClassroomsDPACCTV & optical surveillanceFor “Classwatch” and similar systems, schools must follow the CCTV Code of Practice and consult parents.
CCTV signage where there is a potential detriment to individuals by identifying the Data ControllerDPACCTV & optical surveillanceFor premises such as womens’ refuges and mental health care accommodation, where identifying the Data Controller may put people at risk, this lists what info must be put on CCTV notices.
Changes to the DPADPAOtherCheck out
Changes to the FOIAFOIOtherCheck out
Charging for public informationFOIGovernment – centralThe charging for info under FOI or EIR.
Childminders DPA registration after ceasing to tradeDPAOtherIf childminders keep electronic records after they stop, they must still register.
CLI identificationDPAInternet & Technology“we may be able to look at a concern about this under the DPA and in particular the first principle.”
Cloud Computing and the US Patriot ActDPAInternet & TechnologyTransferring data to America places it under the Patriot Act. Cloud data companies become data processors. If they comply with legal requirements they’re unlikely to face regulatory action.
Community CCTV schemes (access to footage)DPACCTV & optical surveillanceThe housing association is the data controller; privacy impact must be considered. Potential to view disturbing video.
Companies in AdministrationDPAOtherThe administrator becomes the data controller. The ICO would struggle to take enforcement action.
Cookie Directive – New powers and obligationsPECRInternet & TechnologyAn introduction to the “new” EU cookie directive.
CQC & the National information
governance committee
FOIHealthThe function of this committee is simply to monitor – Not regulate.
CRA Arrangements to pay – fairness of then registering a defaultDPAFinanceA default can legitimately be recorded when a creditor has failed to make three of their monthly payments, but they must not be worse off than somebody who hasn’t attempted to pay at all.
CRA Can I stop them from processing my personal data?DPAFinanceS14 only applies where information is inaccurate or out of date; S10 only where processing “unwarranted” so creditors can’t stop firms using their personal data.
CRA Default on a credit file Vs default under the CCADPAFinanceA default notice isn’t necessary (though is advisable) for defaults to be recorded on a file as this is different from a default under the CRA.
CRA Defaults – Guidance for filing defaultsDPAFinance“the absence of a formal ‘default notice’ would not prevent a default from being registered on an individual’s credit reference file”
CRA Defaults – Necessity of recording of defaults with multiple CRAs.DPAFinanceLenders can report defaults to any, none or all credit reference agencies as they see fit.
CRA Defaults – Recording of defaults relating to debts that have been sold.DPAFinanceDebts are often sold. As long as the sale is correctly recorded on the credit reference file there isn’t a problem.
CRA Defaults – Showing defaults relating to unenforceable debts.DPAFinanceJust because a debt isn’t enforceable doesn’t mean that it is incorrect to record defaults on a credit reference file.
CRA Do they require consent to process personal data?DPAFinance“No.”
CRA Credit searches on financial associatesDPAFinanceIt is fair to run credit searches on financial associates, (for example, someone’s partner), but should be in T&Cs.
CRA How accounts included in a bankruptcy should be recordedDPAFinance“Default date MUST be NO LATER than the date of the Bankruptcy. Settlement date (where shown) MUST be NO LATER than the date of Discharge.”
CRA How payments on a debt management plan should be recordedDPAFinanceToken payments in Debt Management Plans can be classed as a Default in some circumstances, but if the lender is genuinely recovering the debt through token payments then a default should not be recorded.
CRA None credit organisations passing information to a CRA?DPAFinanceDespite not being lenders, utility companies can legitimately supply info to credit reference agencies. Some tenants may voluntarily include their rent payments on their credit files to help repair their rating.
CRA Rapid updates and P4DPAFinanceAll three Credit Reference Agencies have a fast-track update facility to correct mistakes on subjects’ records. They aren’t always required to use it.
Data Controllers -Multi-national company locationsDPADirect MarketingNations in which Facebook, Google, Acer, Apple, Amazon,, eBay, Skype and Ryanair have presences.
Data Sharing – Gloucestershire Multi Agency Risk AssessmentDPALocal GovernmentA local scheme for sharing information on domestic violence and abuse. Sharing data is probably legit.
DBS checks and filteringDPAPolice, legal & criminal justiceAs of 2013, certain cautions and offences “expire” and aren’t reported in response to disclosure and barring scheme checks. This gives details of how these and fixed penalty notices are dealt with.
Debt collectorsDPAFinanceSometimes they’re data processors, sometimes controllers. Mistaken identity concerns; Code of Practice etc.
Deceased Individuals – Information about.DPAOtherThe DPA doesn’t apply to dead people. FOI may be useful. There’s a separate LTT for where people write a SAR then die before the SAR response.
Devolved government – creating conditions for processingDPAGovernment – CentralA devolved government / assembly can’t create new conditions for processing
Domestic CCTV and Section 36DPACCTV & optical surveillanceDomestic CCTV is subject to the DPA if it takes in any areas outside the occupier’s personal domain. Very extensive guidance!
DPA Definition – “Health record” vs “Accessible record”DPAHealthEsoteric info on definition of “health” and “accessible” records; the difference between the two is beyond me.
DPA Exemptions – Niche and MiscellaneousDPAOtherManual data held by public authorities S33A, Parliamentary Privilege, Armed forces, Judicial appointments and honours, Crown employment, Management Forecasting, Corporate finance, Negotiations, Self-incrimination
DPA Exemptions – OverviewDPAOtherA summary of DPA exemptions from obligations in SAR and non-disclosure.
DPA Exemptions – Section 28 – National SecurityDPAGovernment – centralThe extent of the exemption and the certificate required to engage it.
DPA Exemptions -Section 29 – Crime and taxationDPAPolice, legal & criminal justiceThe degree of importance required for legitimate engagement of this exemption; the transfer of the exemption to other bodies etc.
DPA Exemptions – Section 30 – Health, education and social workDPAHealthExemptions where providing info under SAR would damage the requester or anybody else, or where the subject doesn’t have capacity but objects to the info being provided to their representative.
DPA Exemptions – Section 31 -Regulatory activityDPAGovernment-centralThe limitations on the exemption on “subject information provisions” where such would affect regulatory activity.
DPA Exemptions – Section 32 – Journalism, literature and art (the special purposes)DPACCTV & optical surveillanceThe factors required for the exemption to engage, and the sections of the act that are exempted. “Indeed, the only circumstance where an individual can make a claim for compensation relating to distress alone, (rather than damage and distress), is where the processing is for the special purposes.”
DPA Exemptions – Section 32 – Acknowledgements in booksDPAOtherSection 32 (special purposes) specifically covers personal acknowledgements in a (nonfiction) book.
DPA Exemptions – Section 33 – Research, history and statisticsDPAEducationThe conditions required to engage the exemption, and the extent of the exemption.
DPA Exemptions – Section 34 – Information made available to the public by or under enactmentDPAGovernment – centralWhere a statutory organisation has to provide info under other legislation, e.g. the Companies Act, even at a fee, it’s exempt from SAR / non-disclosure requirements.
DPA Exemptions – Section 35 – Disclosures required by law or made in connection with legal proceedingsDPAPolice, legal & criminal justiceMandatory and discretionary waiving of non-disclosure requirements where legislation or a specific court order applies.
DPA Exemptions – Section 36 – Domestic purposesDPAOtherNear total exemption except that the law still allows the ICO to investigate whether the exemption has been over-stepped. (What?!)
DPA Section 10 – Right to prevent processingDPAOtherThe ICO will only investigate whether the controller responded within 21 days; it won’t make any decision on whether the processing should stop or not – only the Court can do that.
DPA Section 55 – Business to businessDPAEmploymentStandard letter saying the ICO won’t get involved in commercial disputes between businesses unless individuals have experienced substantial distress.
DPA Section 56 – Enforced Subject AccessDPAEmploymentUnder review as of May 2015. Employers can force people to do a SAR to the police because this section hasn’t been implemented. Such SARs may contain extra info than the employer could get through other statutory schemes, such as the disclosure and barring service, and this isn’t good. There’s nothing the ICO can do.
Drones / Unmanned Aerial Systems (UAS)DPACCTV & optical surveillanceWhen used commercially, a Privacy Impact Assessment is required.
DVLA releasing keeper details – Protection of Freedoms info only.DPAGovernment – centralWhere a car park operator’s CCTV / ANPR catches a driver infringing its T&C’s, they’ve got 14 days to get details from the DVLA and issue a notice to the owner. In general, the ICO considers that if the operator doesn’t meet this deadline, the DVLA can still give out info even after the 14 days is up, even though the debt won’t be legally recoverable.
DWP, Personal Data and JSA applicationsDPAGovernment – centralThe DWP is legitimately processing personal information when assessing eligibility for Jobseekers Allowance (JSA) over the phone, even though it’s a lot of data.
ElectionsDPAPolitical partiesPolitical campaigning is marketing. They can use the unedited electoral roll. Election addresses are exempt from individuals’ right to opt out of marketing materials, as are unaddressed envelopes or letters to “the occupier”. Live telephone calls are subject to the usual telemarketing rules; parties need an individual’s prior consent before subjecting them to automated calls, emails, texts or faxes. The SNP, Tories, Lib Dems and Labour have all had ICO enforcement notices after using automated calls. What happens to personal data held by an MP following dissolution and election. Guidance for local authority and devolved government elections.
Electoral RegisterDPAGovernment – localThe change to individual registration. Mandatory inclusion on the unedited register. Organisations entitled to access / use the unedited register. How to opt out. If your entry on the register puts you at risk, you can apply for “anonymous registration”.
Employer-funded pension or insurance schemes – sharingDPAEmploymentEmployers should gather the least possible info for the scheme and not use it for any other purpose.
Employer accessing Employee’s
Facebook account
DPAInternet & TechnologyThis isn’t fair.
Employer passing sensitive personal info to pension providerDPAPolice, legal &
criminal justice
A DC will likely satisfy Schedule 2 condition 6(1) ‘legitimate interests’
Employers sharing personal data with unionsDPAEmploymentSome employees’ info may be passed to unions for them to recruit; otherwise it must be anonymised.
Employers using CCTV- summaryDPACCTV & optical surveillanceCCTV at work is intrusive. It must be used with discretion, particularly if covert. Info accidentally caught by cameras used for other things shouldn’t generally be used for disciplinary matters unless it’s such that an employer can’t ignore it. Vehicle monitoring should be minimal, particularly where a vehicle has dual business / private use.
Employers using gagging clauses relating to DPA, FOIA.DPAEmploymentSometimes employers include “gagging clauses” to stop employees using their rights under the DPA and/or FOIA. These don’t stop employees using their DPA / FOIA rights, but employees may be in breach of contract if they do (and if the contract is judged legally watertight.) The ICO only gets involved when the employee has actually made a request which the employer hasn’t complied with, and then won’t make any determination as to whether the gagging clause is fair.
Employers using information posted onlineDPAEmploymentWhere an employer comes across info on Facebook etc. this may feed into disciplinary investigations but its weight as hearsay should be taken into account. This doesn’t apply where employers actively monitor employees’ Facebook accounts etc.
Employment reference – Provision without consent.DPAEmploymentOnly provide info to 3rd parties with the employee’s consent or if you’re legally required to; be careful with sickness / medical info.
Encryption of mobile devicesDPAInternet & TechnologyThis is recommended.
EIR – Charging for staff time – ‘locating, retrieving and copying data’.EIRGovernment – Central
Exam Marks and ScriptsDPAEducationExam marks are exempt until the results are announced. SARs for such must be responded to within four months of the request or 40 days of the release of the results, whichever is sooner. Information recorded by candidates is exempt from SARs, but examiners’ comments subject to SAR.
Exemptions under FOIA / EIR and the PITFOIGovernment – centralAbsolute and qualified exemptions; class-based and prejudice-based; timescales for public interest test.
Facebook and PsuedonymsDPAInternet & TechnologyFacebook’s requirement of a real name doesn’t break the DPA
FOIA / EIR FAQs – Guidance docs IndexFOIGovernment – central
FOIA requests to AcademiesFOIEducationAll academies, by virtue of the Academies Act 2010, are subject to the Freedom of Information Act 2000.
FOIA timescales – requests to educational establishmentsFOIEducationFor schools, the standard time limit for dealing with Freedom of Information requests is 20 school days, or 60 working days if this is shorter.
FOIA/ EIR – Internal reviews underFOIGovernment – centralPublic authorities don’t have to do internal reviews under FOI, but most do. They are required to do them under EIR.
FOIA/EIR coverage – recent organisation changesFOIGovernment – centralACPO, UCAS, FOS, Free schools now subject to FOIA; Duchy of Cornwall under EIR but not FOIA; Royal Mail not FOIA any more; Post Office still FOIA.
Free Electoral Roll – FAQsDPAInternet & Technology“Intelligent Tracing” is broadly legit under the DPA, though causing people concern. The ICO has had discussions with them about mechanisms for people to “opt out” their data.
GDPR – ICO guidanceDPAGDPR“we are currently assessing the implications and listening to stakeholders needs”
GDPR – opinion on trainersDPAGDPRICO don’t endorse any training provider but genning up early is a good idea.
GDPR – status as of Feb 2016DPAGDPRAgreed Dec 2015; being proof read by April 2016; in force April 2018.
Gone away post and Telephone callsDPAFinanceIf you’re receiving mail or telephone calls for people who don’t live there, you can tell the organisations and they must stop, though they can’t amend their data because the info isn’t being provided by the person they are attempting to contact. But some organisations must still send letters etc. due to requirements under the Consumer Credit Act.
Google GlassDPACCTV & optical surveillanceThe domestic exemption largely applies to users of Google Glass, though they’re urged to be reasonable. Business users are liable as usual. The ICO are still in talks with Google over their privacy policy.
Google StreetviewDPAInternet & TechnologyDated (pre-implementation) advice indicates that blurring of faces etc. means they were relatively sure Streetview will be legit under DPA.
Health and Social Care data breaches (IG Toolkit)DPAHealthEnglish data controllers must report breaches of health info using the “IG Toolkit”
Health Services and Social Care Services – Definitions/differencesDPAHealthThe ICO considers that “health” in the Data Protection Act covers some aspects of social care.
Housing Association: list of perpetrators of domesit abuseDPAOtherWhether such a list is legit or not depends on the circumstances.
ICO and The Commissioner – FAQOtherOtherWhat the ICO does, how the IC is appointed or got rid of, its sponsoring body, its budget, etc. etc.
ICO register of data controllers. Viewing and use of.DPAOtherThe ICO makes the register of data controllers available by website and by DVD. It can be reused as long as not for nefarious purposes.
Identity theft – MPs guidanceDPAGovernment – centralMPs use this non-ICO guidance.
Information “held” on behalf of a PAFOIOtherIf a body doesn’t hold info on behalf of the authority, it isn’t held for purposes of FOI. The ability of an authority to demand the information under contractural arrangements is irrelevant.
Judicial notesDPAPolice, legal & criminal justiceThe MOJ is the data controller, and judicial notes are part of a structured filing system.
“Legitimate interests”DPAPolice, legal &
criminal justice
“In relation to Condition 6 (2) of Schedule 2, we are not aware of the Secretary of
State ever issuing an order.”
Location Data and SmartphonesDPAInternet & TechnologyApps etc. must ask permission before collecting location data. Location data must be turned off by default.
London Gazette bankruptcy recordsDPAFinanceBecause archives of the London Gazette is available online, records of “discharged” bankruptcies stay in the public domain. This isn’t really new; previously such would be available in libraries, and in any case some roles require that an individual has never been bankrupt.
Medical Insurance dataDPAHealthThe fact that somebody has made a claim isn’t sensitive personal data, but the value of the claim is.
Missing person reportsDPAPolice, legal & criminal justiceIt’s OK to circulate missing persons’ report on behalf of police
MPs and Constituent’s Complaint FilesDPAPolitical partiesMPs are data controllers. There are special rules for transfer or otherwise of people’s data to “new” MPs.
MPs and Elected Representatives – Disclosures toDPAPolitical partiesThere’s legislation to allow easement of the DPA to make MP’s constituency casework easier; but there are some concerns for privacy so MPs are asked to tell the ICO if a constituent objects.
National Insurance Number as an identifier – DWPDPAGovernment – centralThe use of NI numbers in bank statements etc. is legit under the DPA.
NewslettersDPADirect marketingIf a newsletter contains even the teeniest bit of marketing it is direct marketing.
Nurses registration as data controllersDPAHealthNurses are theoretically data controllers for the 3rd party data they have for their practice reflection in revalidation, but in fact the ICO doesn’t expect them to do so.
Occupational health referrals and data sharingDPAEmploymentRights and procedures when employees request medical information from an employee’s GP
Opt-Out UK LtdDPADirect marketing“(Background information for internal use only)” OptOut may be sending “stop processing” requests to direct marketing organisations even where the person on behalf they’re sending it isn’t on that organisation’s list. Such organisations may need to confirm the ID of the requester. They should set up a “suppression list” of people who don’t want marketing, though they aren’t legally required to.
Patient onlineDPAHealthGPs have to offer online access to some features. This is guidance on this.
Planning Applications / DisclosuresDPAGovernment – localThe requirements to publish information under the Town and Country Act mean that the DPA largely doesn’t apply, including SAR. Where sensitive information is published unredacted, special care must be taken including making the applicant aware.
Police & Crime Commissioners FAQs ( PCC )DPAPolice, legal & criminal justiceIntroduction to the “new” PCCs; requirements on PCCs to publish certain data; PCCs obligations under the DPA and FOIA; and transfer or functions from defunct Police Authorities to PCCs.
Police retention of data.DPAPolice, legal & criminal justicePolice keep personal info for a minimum of 6 years, after which they decide whether to keep it longer; except for data on the PNC, which is kept until an individual’s 100th birthday. The PNC’s data controllers are “all forces in common”, and SARs must go to the ACPO.
Police retention periods – DNA, PoF Act and BiometricsDPAPolice, legal & criminal justiceWritten before the Protection of Freedoms Act, describes the required deletion of DNA samples etc. post ECHR judgment. Lists various retention times for various ages of convicts / arrestees etc.
Private organisations providing services for the NHSFOIHealthPrivate bodies providing services to the NHS aren’t subject to the FOI Act, with the exception of pharmacies and opticians. (Doesn’t mention dentists.)
Publication scheme for EIREIRGovernment – centralBarring certain exemptions, authorities must pro-actively publish EIR online.
Recording calls and Fair processingDPAInternet & TechnologyIt’s not always necessary to tell people their phone calls are being recorded, unless recordings to be used for a different purpose than the original call. Some environments (e.g. call centres) mean that recording for e.g. training purposes may be assumed.
Refusal notice format / contents under FOIA/EIRDPAGovernment – centralFOI. Details of the required content of refusal notices under FOI / EIR.
Reproduction of information from TwitterDPAInternet & TechnologyThe context and recipients of a tweet determine whether republishing it may be “fair processing” of personal data.
Requests for a list of public authorities under EIREIRGovernment – centralThe EIR require each state to publish a list of public authorities. DEFRA does this in the UK.
Retention P.5 DPADPAOtherThe Act can’t describe retention periods for all potential circumstances, so here are some key aspects to take into account when deciding on them.
Retention and Copying of original documentsDPAEmploymentThe DPA is concerned with information, not the physical documents in which it is written. There may be circumstances where employers etc. need to confirm ID with original documents.
Section 19 (publication scheme) versus section 11 (form and format)FOIOtherThe fact that a document in a publication scheme is in an inconvenient format doesn’t mean the body has to provide it under S11.
S35 ‘any rule of law’ and PSNI common law powerDPAPolice, legal & criminal justiceSection 35 ‘any rule of law’ applies to PSNI common law powers.
SAR and third party data – summaryDPAOtherUnless compelling reasons otherwise, the ICO encourages such disclosure. Includes factors to be considered.
SAR by a Trustee of a debtor in bankruptcyDPAFinanceA trustee of a debtor in bankruptcy can request information from a mortgage advice company under Section 366 of the Insolvency Act 1986 free of charge. This is independent of SAR rights. A SAR may return extra information.
SAR Counting the 40 days to respond. (General + Schools)DPAEducationSAR responses have to be sent (not received by the subject) within 40 days. This includes schools, irrespective of holidays, except for educational records which must be returned in 15 school days.
SAR fee – acceptable payment typesDPAOtherData controllers can request payment via a specific mechanism but not insist on it. If the data subject has made a payment in a manner generally accepted for payment in the UK, then the SAR obligations begin.
SAR Handling repeated requestsDPAOtherThis LTT says info sent in response to first SAR doesn’t have to be sent again in a repeat SAR (contrary to that stated in the SAR Code of Practice). Looks at time between repetitions etc. and other practicalities of dealing with repeat SARs.
SAR Health Records FeesDPAHealthSAR fee for data supplied in electronic format is max £10; for manual records £50. Inspection of health records is free if they’ve been amended in the last 40 days, £10 otherwise.
SAR Information exempt as may cause harm – Education.DPAEducationThis exemption only applies to the specific subset of data whose release may cause harm. The ICO are likely to be swayed by medical opinions, but less so of non-medical opinions.
SAR Information exempt as may cause harm – Health.DPAHealthThe ID of the medical professional who must make this decision; when standing decisions can be relied upon; when representatives of people without capacity can be legit.
SAR Information exempt as may cause harm – Social workDPAHealthData Protection (Subject Access Modification) (Social Work) Order 2000 (SI2000/415)
SAR Information from joint accounts /policies.DPAFinanceEach person can get all the data through SAR.
SAR Information in a different languageDPAOtherWhile good practice might suggest information be translated into English (or Welsh / Gaellic I guess) the DPA doesn’t require this as long as it is in an “intelligible form”.
SAR NHS England – CCGs and CSUs – who is the DC?DPAHealthNHS England.
SAR Using S.7 to obtain “Evidence”DPAPolice, legal & criminal justiceCPR disclosure doesn’t trump SAR provisions, but court may not enforce SAR rights in such circumstances.
SAR when the requestor dies during the processDPAOtherAs long as requester still alive when SAR received, SAR must be processed and sent to rep / executor.
Sharing Box Office or ticketing InformationDPADirect marketingWhen booking information is retained by theatres or venues and a travelling show company wants this info for direct marketing they usually shouldn’t be allowed it.
Shot gun licenses (certificates) and doctors’ recordsDPAHealthThe ACPO wants a “tag” on health records of shotgun owners so the GP can warn the police if the person becomes a threat. The ICO thinks this disproportionate, but notes that the letter requesting medical opinion before the license is granted can stay in the notes.
Smart MetersDPAInternet & technologyLater in 2015, companies will start using smart meters that communicate via a Data Communications Company (Smart DCC Ltd). At the moment, “smart” meters communicate direct with energy and utility suppliers; this will swap over at some point. The DCC will have special licenses. This LTT gives various data protection advice on this new model.
Standard letter for EU funded projects approval under FP7OtherOtherApplication packs for funding under the EC’s 7th Framework Programme (research and technology) requires applicants to get permission “where appropriate” from their country’s data regulator. This standard letter says the ICO doesn’t fulfil this function.
Surveillance Camera Commissioner (SCC)OtherCCTV & optical surveillanceThe Protection of Freedoms Act introduced the Surveillance Camera Commissioner (SCC) who must promote good practice and encourage compliance amongst ‘relevant authorities’ using surveillance cameras, and has written a Code of Practice.
TPS – Details of the Telephone Preference Service LtdDPAInternet & technologyThe TPS runs its Preference Services and maintains “do not contact” lists under the Direct Marketing Association but under contract to OFCOM. The TPS also has a complaints handling procedure, though this isn’t statutory. It reports the themes of complaints to the ICO.
“Track My Crime” (MOJ)DPAPolice, legal &
criminal justice
The MoJ is a data processor but RKH (the company manging [sic] the system) is the sub-processor.
Universal JobsmatchDPAGovernment – CentralLots of people raised concerns about “Universal Jobsmatch” and lack of clarity about its processing of data. The DWP have now made it clearer; this is run by “Monster” for the DWP. Its use may be compulsory for some claimants.
US Surveillance, Snowden and PrismDPAInternet & Technology“There are real issues about the extent to which US law enforcement agencies can access personal data of UK and other European citizens.” The ICO is working with other EU countries on this.
Use of publicly available informationDPAInternet & Technology“People search” websites are generally legit under the DPA. The ICO can look at people’s complaints about them.
VanguardsDPAHealth“organisations that have been awarded funds for NHS innovation projects” may need to share data; here’s how
Vehicle Registration Marks as personal dataDPACCTV & optical surveillanceWhen Vehicle Registration Marks are collected by ANPR for parking / speeding fines etc. they are personal data.
Win-Back CampaignsDPADirect marketingWhere people have opted out of direct marketing, companies occasionally asking if they want to come back is OK, but only as part of normal communication. “If you don’t respond we will add you to our list” is particularly bad.


Casework Advice Notes

The Information Commissioner’s Office have released to me their Casework Advice Notes. These previously unreleased documents guide their staff on how to deal with various circumstances when they are asked for a S50 assessment of a public authority’s compliance or otherwise with the Freedom of Information Act and/or the Environmental Information Regulations. Previously we have had Lines To Take, which tell caseworkers what stance to use on certain key aspects of the Act and Regulations. These Casework Advice Notes give more practical guidance.

Some of them are illuminating of the internal machinations of the ICO. I particularly like their advice on the use of S40(3), which basically says: only consider this exemption if you are absolutely forced to by the Public Authority’s intransigence; in all normal circumstances persuade the Authority to use a different exemption.

For ease of use and for interest of others, I have indexed the 18 CWAN (CaseWork Advice Notes) with a brief summary of the contents. My summaries may not be correct and should not be used as a definitive statement of the Notes. Click on the Casework Advice Notes number or the Subject Details to download a PDF of the real CWAN.

CWAN numberFOI / EIR SectionSubjectsDetails


Prejudice to effective conduct of public affairs.

Common problemsLack of evidence that the Qualified Person (QP) has made a decision; problems with identifying the QP, reasonableness of QP’s decision.


Prejudice to effective conduct of public affairs.

Reasonable opinionChange from “reasonable in substance and reasonably arrived at” due to difficulties in determination. ICO developed own definition, based on dictionary: “in accordance with reason; not irrational or absurd”. “Reasonable opinion” doesn’t have to be the only / “most” reasonable one, nor does the ICO have to agree with it.


Information provided in confidence.

Anonymised information about people and the duty of confidence & standard DN wordingWhere it is not possible to identify the subject of information from the material to be disclosed, either on its own or together with other information available to the public, it is no longer necessary to consider each limb of the Section 41 test of confidence. Also provides boilerplate text to put in DNs.


Cost of Compliance

Exercising the Commissioner’s discretion to accept late claims of section 12If a public authority has collated the requested material to justify usage of another exemption (e.g. s43) but then abandons the original exemption and attempts to rely on S12, the ICO does not uphold the S12 exemption as the material has already been collated and there would be little extra cost in supplying it.
5EIR reg 12(4)(e) Internal communications.Email chains as “internal communications”In email chains, the sender and every recipient of every email in the chain must be in the authority for the exemption to apply. Caseworkers should broadly accept PA’s statement to this effect to minimise ICO investigative time. Each email must considered on its own; an email chain consists of multiple documents.
6s1, Part II exemptions reg 5, reg 12Email attachmentsA request for an email usually includes any attachments. Where printed emails and attachments are supplied, ICO may ask PA for written statement detailing attachments were attached to which emails to mitigate confusion.


Prohibitions on disclosure

ECHR Article 8 (respect for private and family life) as a statutory prohibitionRarely used as S40 and S38 deal with most issues. Posited example: an identified group of residents guilty of sexual assault but not specified which one so S40 and S38 don’t apply, but Article 8 may do. Process by which this is determined.


Application for decision by Commissioner.

Referencing Select Committee opinions and parliamentary proceedings in decision notices.Parliamentary Privilege applies to Select Committees and thus DNs must not rely on their statements
9S2, 12(1)(b)Handling a suspicion of wrongdoing by a public authority in DNs.“Case officers must take great care when drafting a DN in any case in which there is a suspicion of wrongdoing. If necessary, use a confidential annex rather than run the risk of revealing that there is a smoking gun.”
10s2, Part II exemptions, reg 12, reg 13Public domain – practical guidanceWhen considering a claimed exemption, ICO workers should do a brief Internet search to see if information already in public domain. Be careful about referring to Parliamentary material.


Investigations and proceedings conducted by public authorities

Evidence required to engage section 30(1)(a)Any evidence generated after a decision not to contiue a criminal investigation cannot be subject to the S30(1)(a) exemption. But investigations to consider whether an offense has occurred do engage S30(1)(a) until and unless satisfied that offence hasn’t occurred. Police must state broad category of offense; other public authorities must be more specific.

19, 21

Publication schemes / info available by other means

Approach to S19 and S21 exemptionsWhere both claimed, ICO should consider S19 first, because if the material is correctly published and so S19 is upheld, S21 is upheld by default. If PA hasn’t used Commissioner?s model scheme, S19 exemption automatically denied.
13S50 / Reg 18DN drafting stepsCaseworkers must be careful and specific in DNs about actions they require PA to undertake, particularly avoiding phrase “the requested information”, to make the DN easier to enforce. Gives standard approaches to DNs on several common themes.

Applicant’s personal data

Applicant’s personal dataIf a request is for personal data alone, caseworkers consider PA’s compliance with SAR. If the request is for a mix of own data and non-personal data and S12 / S14 exemption upheld, authority directed in DN footnote to respond to SAR. If S12 / S14 exemption not upheld, warn authority to use S40(5) for any personal data.
15S40, Reg 13Sensitive personal data and fairnessIf request is for 3rd party sensitive personal data, nearly always “unfair” – ICO have boilerplate text for DN. If the 3rd party has actively published the info or has given consent to its release, then it is “fair” and S40 / Reg 13 don’t apply.
16S40, Reg 13Considering whether disclosure of personal data would be lawfulCaseworkers only consider this if release of info is “fair”. Release of info should be considered lawful unless and until evidence suggests otherwise. Statute, common law, duty of confidence or enforceable contract must be considered.
17S40, R13Data subject’s consent to disclosureIf 3rd party gives consent for release of their data within the statutory timescale of FoI request, it is absolute. If given outside this time, ICO must make interpretation as to whether this was a fully formed decision at the time the FoI request was made. If consent is actively NOT given, consideration must be given to whether info release would be “fair”. PAs are not required to ask data subject for consent, but in some circumstances it may be useful for the caseworker to suggest to the PA that they do so.
18S40(4), R13(3)Information exempt from subject access rightCaseworkers should only consider this exemption if claimed by the PA, and they should suggest the PA rely on other, less complicated exemptions. With rare exceptions, it is unlikely to be fair processing to release info about an individual to the public under FOI when exemptions mean they can’t get it via SAR.


Categories: ICO