FOI No-No
Tim Turner
Practical ??+ theatrical ?? UK GDPR & FOI trainer & consultant. Not GDPR certified (no-one is). Available for hire online or in-person. Will supply own props.
One of the obligations on any #FOI public authority is advice and assistance. You must help the person to make a sensible request, and give context when refusing. A good helpful answer, even if it's a no, can reduce the likelihood of an appeal or complaint. Think about what the person is after, and whether you can guide them towards information that will help them. In this case, someone attempted to dig into the Information Commissioner's Office's approach to enforcement.
The first question is whether the ICO has an enforcement team. You'd think the answer to that one is easy. But no: "technically the ICO does not have an Enforcement Team as such. As a result of GDPR there is no specific enforcement department within the ICO."
Until recently, Steve Eckersley's department was called 'Enforcement'. He's still in charge of a department whose exclusive function is enforcement of either criminal offences or infringements of GDPR and PECR. What they do is what a normal person would call 'enforcement'.
If the structure chart that ICO used to publish wasn't mysteriously absent, I could show this, but it's not as if the people answering FOI requests don't have access to this information. It was - until whatever chicanery is currently underway - in the public domain. They could have said "we have an enforcement department, but we call it Investigations". This would be a helpful and true answer, but instead they create an inaccurate and misleading impression that confuses the applicant.
I think one part of the ICO statement is also untrue. Whatever internal machinations have led to the renaming of the Enforcement Department (Denham's tenure has exacerbated the ICO habit of daft names for jobs and teams), GDPR has nothing to do with it. ICO says "As a result of GDPR". This is false. The GDPR does not force the ICO to make any changes to its structure. At best, it could be the way DPA 2018 gives ICO its powers, but it's not because the DPA doesn't require changes to internal organisation.
f you want to be a smart-arse and blame the ICO's lack of enforcement on the absence of a proper enforcement team, even though I think they do, ICO has just told the world that they don't. It's as much against the ICO's interests to say this, as well as the applicant's
I advise FOI officers to keep an eye on ICO's antics on the FOI website What Do They Know, on the basis that if they can get away with a certain approach, so can you. But please, don't be as bone-headed and unhelpful as this. It's bad practice, and it's probably unlawful.
Senior Consultant - Data Protection & Privacy | Information Law [et al] | Lead-preneur | LogosLogic
4 年Tim Turner - Thank you!