ICO threatens itself with legal action over FoI cock-up

ico n1The Information Commissioner’s Office is facing one of the most bizarre cases since it was set up as a regulatory body back in 1984, after threatening itself with legal action unless it complies with its own ruling on a bungled Freedom of Information request.

The issue relates to an FoI request made to the ICO on May 28 2018 by a data controller, relating to the change of the ICO’s privacy notice following the introduction of GDPR.

Specifically, he wanted to know under what lawful basis the regulator would be publishing his name and address in the Data Protection Public Register which is available free on the ICO website.

However, while the ICO did respond within the permitted timeframe of 30 days for the first request it is in the ensuing correspondence between the two parties that it all went horribly wrong.

Section 10 of the FoI Act states that responses to requests made under the Act must be provided “promptly and in any event not later than the 20th working day following the date of receipt”.

In fact, following an internal investigation, the ICO has been found to have failed to respond to a number of requests within 20 working days – one request took over 172 days to answer – meaning the regulator has breached section 10 of the FoI Act. In addition, the ICO did not comply with section 1 of the Act either, as it failed to confirm to the complainant what information it held.

The ruling states: “The Commissioner requires the ICO to take the following steps to ensure compliance with the legislation. Issue a substantive response, under the FoIA, to the outstanding requests.

“The ICO must take these steps within 35 calendar days of the date of this decision notice. Failure to comply may result in the Commissioner making written certification of this fact to the High Court pursuant to section 54 of the FoIA and may be dealt with as a contempt of court.”

While the ruling is highly embarrassing for the regulator, most breaches of the Act are unlawful not criminal, unless organisations deliberately destroy, hide or alter requested information to prevent it being released.

The ICO cannot fine an organisation – or even itself – if it fails to comply with the Act, nor can it require the business to pay compensation to anyone for breaches of the Act.

However, the maximum sentence for contempt of court is two years in prison, but it can also be punished with an unlimited fine.

Related stories
ICO fingered for breaching GDPR over cookie cock-up
ICO website under siege from 40 online threats a day
ICO site targeted in mass cryptocurrency hack attack
ICO ‘failings’ exposed as most probes come to nothing
ICO reveals it has 10,000 data breach cases to probe

Print Friendly

To leave a comment please register – it takes less than a minute and is free of charge. You will also get our weekly email update The DM Report (to opt out contact subscriptions@decisionmarketing.co.uk). If you are an existing user, please log in. If you have forgotten your log-in details please email info@decisionmarketing.co.uk to get them reset!

Existing Users Log In
 Remember Me  
New User Registration
*Required field