If public authorities are subject to enforcement action by the Information Commissioner (eg, monetary penalty notice, undertaking, audit, enforcement notice etc), they should be prepared for internal reports into why the action was taken to become the target for Freedom of Information (FOI) requests. This is the outcome of a …
Being smacked by the ICO
is rather like being hit in the face with a small fish (a la Monty Python sketech).
Do nothing, pass on the fine
Responding with the report would be "prejudice to effective conduct of public affairs" when people learned that Ealing council will just pass the fine on through council tax and carry on as before.
Or maybe they did investigate and improve security, then missed an opportunity to reassure the public.
Of course, the ICO also published the get-out, as "The ICO decided that the council had correctly applied the ‘prejudice to effective conduct of public affairs’ exemption", so all FOI's of this nature will be responded to according to the ICO's advice; public interest be damned.
I've sort of lost the plot as to why we have an ICO, or is it because the EU say we must have one, because all organisations handling personal information must register a Data Protection Officer and without an ICO there would be nowhere to register? Other than turning oxygen into green house gasses, do they perform any other function?
Internal review? What review?
"The council refused to provide the requested information stating that the information was being withheld under the ‘prejudice to effective conduct of public affairs’ exemption"
In other words, they had not actually done any kind of review at all, as they did not consider that anything was wrong.
This is predicated on the idea that the "information security" policies the council has are purely for "compliance" purposes, and nobody can be expected to follow them.
This is part of my PhD
This request was submitted as part of the preliminary research I am conducting for my PhD looking at the drivers, methods, and outcomes of information security incident investigations.
If anyone would like to know more aobut my research, please drop me a line on email@example.com
P.S. Ealing Council still haven't released the document...
‘prejudice to effective conduct of public affairs’
Translation: Someone high enough up the food chain was responsible, so we're going to keep schtum and pay the fine with public money instead of sacking the idiot.