The ICO’s Casework Advice Notes


The Information Commissioner’s Office have released to me their Casework Advice Notes. These previously unreleased documents guide their staff on how to deal with various circumstances when they are asked for a S50 assessment of a public authority’s compliance or otherwise with the Freedom of Information Act and/or the Environmental Information Regulations. Previously we have had Lines To Take, which tell caseworkers what stance to use on certain key aspects of the Act and Regulations. These Casework Advice Notes give more practical guidance.

Some of them are illuminating of the internal machinations of the ICO. I particularly like their advice on the use of S40(3), which basically says: only consider this exemption if you are absolutely forced to by the Public Authority’s intransigence; in all normal circumstances persuade the Authority to use a different exemption.

For ease of use and for interest of others, I have indexed the 18 CWAN (CaseWork Advice Notes) with a brief summary of the contents. My summaries may not be correct and should not be used as a definitive statement of the Notes. Click on the Casework Advice Notes number or the Subject Details to download a PDF of the real CWAN.

CWAN number FOI / EIR Section Subjects Details


Prejudice to effective conduct of public affairs.

Common problems Lack of evidence that the Qualified Person (QP) has made a decision; problems with identifying the QP, reasonableness of QP’s decision.


Prejudice to effective conduct of public affairs.

Reasonable opinion Change from “reasonable in substance and reasonably arrived at” due to difficulties in determination. ICO developed own definition, based on dictionary: “in accordance with reason; not irrational or absurd”. “Reasonable opinion” doesn’t have to be the only / “most” reasonable one, nor does the ICO have to agree with it.


Information provided in confidence.

Anonymised information about people and the duty of confidence & standard DN wording Where it is not possible to identify the subject of information from the material to be disclosed, either on its own or together with other information available to the public, it is no longer necessary to consider each limb of the Section 41 test of confidence. Also provides boilerplate text to put in DNs.


Cost of Compliance

Exercising the Commissioner’s discretion to accept late claims of section 12 If a public authority has collated the requested material to justify usage of another exemption (e.g. s43) but then abandons the original exemption and attempts to rely on S12, the ICO does not uphold the S12 exemption as the material has already been collated and there would be little extra cost in supplying it.
5 EIR reg 12(4)(e) Internal communications. Email chains as “internal communications” In email chains, the sender and every recipient of every email in the chain must be in the authority for the exemption to apply. Caseworkers should broadly accept PA’s statement to this effect to minimise ICO investigative time. Each email must considered on its own; an email chain consists of multiple documents.
6 s1, Part II exemptions reg 5, reg 12 Email attachments A request for an email usually includes any attachments. Where printed emails and attachments are supplied, ICO may ask PA for written statement detailing attachments were attached to which emails to mitigate confusion.


Prohibitions on disclosure

ECHR Article 8 (respect for private and family life) as a statutory prohibition Rarely used as S40 and S38 deal with most issues. Posited example: an identified group of residents guilty of sexual assault but not specified which one so S40 and S38 don’t apply, but Article 8 may do. Process by which this is determined.


Application for decision by Commissioner.

Referencing Select Committee opinions and parliamentary proceedings in decision notices. Parliamentary Privilege applies to Select Committees and thus DNs must not rely on their statements
9 S2, 12(1)(b) Handling a suspicion of wrongdoing by a public authority in DNs. “Case officers must take great care when drafting a DN in any case in which there is a suspicion of wrongdoing. If necessary, use a confidential annex rather than run the risk of revealing that there is a smoking gun.”
10 s2, Part II exemptions, reg 12, reg 13 Public domain – practical guidance When considering a claimed exemption, ICO workers should do a brief Internet search to see if information already in public domain. Be careful about referring to Parliamentary material.


Investigations and proceedings conducted by public authorities

Evidence required to engage section 30(1)(a) Any evidence generated after a decision not to contiue a criminal investigation cannot be subject to the S30(1)(a) exemption. But investigations to consider whether an offense has occurred do engage S30(1)(a) until and unless satisfied that offence hasn’t occurred. Police must state broad category of offense; other public authorities must be more specific.

19, 21

Publication schemes / info available by other means

Approach to S19 and S21 exemptions Where both claimed, ICO should consider S19 first, because if the material is correctly published and so S19 is upheld, S21 is upheld by default. If PA hasn’t used Commissioner?s model scheme, S19 exemption automatically denied.
13 S50 / Reg 18 DN drafting steps Caseworkers must be careful and specific in DNs about actions they require PA to undertake, particularly avoiding phrase “the requested information”, to make the DN easier to enforce. Gives standard approaches to DNs on several common themes.
14 S40(1)

Applicant’s personal data

Applicant’s personal data If a request is for personal data alone, caseworkers consider PA’s compliance with SAR. If the request is for a mix of own data and non-personal data and S12 / S14 exemption upheld, authority directed in DN footnote to respond to SAR. If S12 / S14 exemption not upheld, warn authority to use S40(5) for any personal data.
15 S40, Reg 13 Sensitive personal data and fairness If request is for 3rd party sensitive personal data, nearly always “unfair” – ICO have boilerplate text for DN. If the 3rd party has actively published the info or has given consent to its release, then it is “fair” and S40 / Reg 13 don’t apply.
16 S40, Reg 13 Considering whether disclosure of personal data would be lawful Caseworkers only consider this if release of info is “fair”. Release of info should be considered lawful unless and until evidence suggests otherwise. Statute, common law, duty of confidence or enforceable contract must be considered.
17 S40, R13 Data subject’s consent to disclosure If 3rd party gives consent for release of their data within the statutory timescale of FoI request, it is absolute. If given outside this time, ICO must make interpretation as to whether this was a fully formed decision at the time the FoI request was made. If consent is actively NOT given, consideration must be given to whether info release would be “fair”. PAs are not required to ask data subject for consent, but in some circumstances it may be useful for the caseworker to suggest to the PA that they do so.
18 S40(4), R13(3) Information exempt from subject access right Caseworkers should only consider this exemption if claimed by the PA, and they should suggest the PA rely on other, less complicated exemptions. With rare exceptions, it is unlikely to be fair processing to release info about an individual to the public under FOI when exemptions mean they can’t get it via SAR.

Leave a Reply

%d bloggers like this: