The purpose of ICO – the Information Commissioner’s Office – is to stated on their website to be to…
…uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
However when ICO themselves are subject to a data access request they are prepared to break the law regarding such.
Given that ICO is charged with upholding the law in relation to data access requests this evasiveness ensures that they have lost the moral authority to be able to enforce data access legislation when things go wrong.
More damming though is that a recent investigation revealed ICO’s means of investigating disclosure breaches is so weak and inept as to render it futile to raise issues before them.
Put simply here’s what happened…
I made a data access request to Wakefield Council. The Council only provided four pages to begin with, then produced more but significantly failed to include the first 53 pages of data from the request, so ICO were informed after the Council had been given ample chance to correct matters.
The original matter put to ICO as a formal complaint was:
The final response is seen attached. Not only has the data requested not been provided but also the Council has directed me to the wrong agency to seek the answers / disclosure wanted. This is clear in the attached PDF. In fact the majority of the questions I am directed to seek answers to elsewhere comprise of information from Wakefield Council that only they have access to. The response of the Council is therefore misdirection as well as a breach of the relevant Act in failing to provide the data requested on 12.4.21.
Therefore I refer this matter to you for assessment on if the Council has fulfilled its obligations in respect of provision of data. The attached Word file contains all correspondence from April 2021 onwards.
ICO responded after some months and their Case Officer Rachel Webster stated:
In my view I have fully considered the data protection issues you have raised and in light of the Council’s response I do not believe there are any outstanding data protection issues that we would want to pursue further with the Council at this time. As I have explained in correspondence to you our role is not to necessarily resolve every aspect of an individual’s complaint to their satisfaction.
My reply to this was sent shortly after, on 30.3.22 and stated:
There are 54 pages outstanding that have not been produced from a data access request. This is something I have been clear about across this process and the disclosures remain outstanding.
What proof have the Council shown to ICO that the relevant data has been produced?
Further that ICO tried to shuffle off responsibility for adjudicating on the data access failure by the Council. Outrageously Webster suggested:
I understanding you are currently taking legal action against the Council and it may be that these issues are resolved as part of that process.
Now here’s where things get funky.
In my email of 30.3.22 I requested:
It is for ICO to resolve the issues put before it: the Council has failed to produce data as the result of many requests to do so and was in breach of the law in repeated failures to disclose. ICO’s responsibility is to chase such matters and ensure compliance outside of any other process.
And of course I stated:
What proof have the Council shown to ICO that the relevant data has been produced?
And ICO’s response to this on 7.4.22 was:
We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned. In this case the Council believe they have fully complied with your request however it is clear from your correspondence that you disagree that this is the case and the information is outstanding. We have raised your concerns with the Council and we’re satisfied with the Council’s response and that at this time there is no further action for us to take in relation to your case.
That’s right. You read that correctly.
ICO does not seek out or require proof from organisations that they have complied with their responsibilities. Indeed in a situation such as this where a member of the public asserts that they have not then ICO will accept the comments of the organisation that they have over and above any evidence that the public has provided.
ICO then attempted to fob me off with some data in response to a request I made. The data was not that which I requested.
I in fact requested all communication between Wakefield Council and ICO. My response to ICO was sent 9.4.22 and stated:
Further that the data supplied does not support comments made in your emails to me about information supplied by the Council to ICO.
ICO claim that the Council’s attempt at a get-out-of-gaol-free card in this matter was to state that they had a particular defence in law as to why the data had not been provided. The data produced by ICO between them and the Council did not contain this claim from the local authority. So where did it come from? A further data access request was made to ICO for proof that the Council had stated to ICO what ICO claimed the Council had stated.
Simple enough you would have thought. Especially in the light of ICO’s failure to produce the relevant data in copies of correspondence with the Council.
ICO failed to produce this data. I wrote back to state:
Given ICO’s stated position as regulator for data access / information rights issues this is simply not good enough. At a minimum I would expect fulfilment of the data access request made and chased 7.4.22. That such disclosure from ICO should show that ICO has interacted with the Council on the matter of IC-134978-B9K1 and that the Council has responded appropriately back to the matters raised in this complaint.
ICO shot back with:
Thank you for your email below. I note your comments and can provide the following response. I can reassure you I have considered all the information provided by you and the Council in relation to this case.
This amounts to two failures to provide data requested. In the second instance ICO purposefully fail to address the renewed request for specific data from their office.
Given that the data I provided showed that the Council had clearly withheld disclosure for no legitimate reason it seems odd that ICO should prefer the Council’s response, especially in a situation in which they appear to have provided ICO with no supporting data.
It’s a relief to anyone who brings a data access complaint to ICO to learn that, as stated in theur response to me of 30.3.22:
…our role is not to necessarily resolve every aspect of an individual’s complaint to their satisfaction. Rather we consider data protection complaints that are brought to us partly in order to identify issues with an organisations information rights policies/procedures.
Which in practical terms means that ICO will ignore issues in complaints brought by the public which it finds irksome to deal with. This may mean that if enquiries with a misconducting organisation are going to be long and drawn-out that ICO will ignore complex aspects of the complaint made. Historically even in matters where there is a significant breach of the law by an organisation ICO also fails to act punitively and instead builds up a file of data on the organisation’s failings.
A case review was requested and completed 22.4.22 by Lead Case Officer Alison Fletcher.
Again this failed to address the issue of the data requested from Wakefield Council to ICO which supported the comments made by ICO, as had all the prior responses from Rachel Webster. A further response from Alison Fletcher also failed to address the issue of the data not being supplied
Does ICO have a specific reason for withholding the data requested? Likely this is a matter of professional reputation. That a full disclosure of the data I requested would show that ICO failed to investigate this matter to a reasonable standard and perhaps that the Council did not provide them with the data ICO claimed they did. This has to be the case since I provided sufficient evidence to show Wakefield Council had breached its responsibility in law to provide all the data I originally requested from them. The sign of a weak investigation is in the reply provided by ICO which stated:
We take information provided by organisations in response to data protection complaints in good faith. As a decision by our office is only a view or an opinion rather than a final determination we do not have to request evidence/proof from organisations concerned
As I mentioned the practical effect of this is that if an organisation claims not to have breached the law then ICO simply accept what the organisation have said without evidence and contrary to any evidence provided by the public, however strong.
This is indicative of ICO being an organisation that is unfit for purpose. You might of course argue that they are functioning perfectly: that one part of the State has acted to deflect and cover the illegality of another.
However it is ICO’s careful avoidance of producing data requested showing what the Council stated to them which suggests most strongly that they are unable to properly police the wild west of data legislation.
Just to recap in relation to the seriousness of the malfeasance from ICO. When data was produced showing correspondence from the Council to ICO nothing supporting the comments claimed to have been made by the Council had been sent to ICO, who then went on to be unable to produce the info from the Council supporting what they say the Council had said.
When the body charged with taking others to task for failure to observe information rights law believes itself to be exempt from such laws – and likely making up excuses for organisation’s failures – can there be any doubt that ICO cannot remain much longer in its present form?
Legal Babble 