Data Protection Compliance

12 July 2023

Your request

I am writing to make a formal request for information under the provisions of the Freedom of Information Act 2000. I kindly request that you provide me with the following information:

1. A copy of your organisation's Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).

2. A copy of all legitimate interest assessments conducted by your organisation where you rely on Article 6(1)(f) legitimate interests as your lawful basis for processing.

3. A copy of all privacy impact assessments conducted by your organisation.

4. A copy of all data protection impact assessments conducted by your organisation.

5. A copy of all international transfer risk assessments conducted by your organisation.

6. A recent copy of your organisation's data protection compliance assessment using the Information Commissioner's Office (ICO)'s accountability framework template. If you are using your own standards to monitor compliance with the Data Protection 2018, please provide me with copy of it.

7. A copy of your organization's data protection policy.

8. A copy of your organization's subject access request policy, procedures, and processes, including any guidance material such as folder structure, naming conventions, and redaction guides.

9. A copy of your organisation's privacy notices, including but not limited to employees, customers, ministers, special advisors (SPADs), complaints, NEDS, visitors, and CCTV.

10. A copy of your organisation's due diligence questions for vendor management such as independent data controllers or processors.

Our response

1. A copy of your organisation's Records of Processing Activity (ROPA) as defined in Article 30 of the UK General Data Protection Regulation (UK GDPR).

The ROPA is a large document which would be very diff8cult to extract and send electronically however as per S16 of the Freedom of Information Act (duty to provide advice and assistance), we can offer invitation to come inspect this document at mutual convenient time.

To arrange this this please contact Infogov@lambeth.gov.uk, quoting reference IRN18530387.

2. A copy of all legitimate interest assessments conducted by your organisation where you rely on Article 6(1)(f) legitimate interests as your lawful basis for processing.

This is exempt as per below:

Section 42: Legal Professional Privilege

42. - (1) Information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications could be maintained in legal proceedings is exempt information

 (2)The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would involve the disclosure of any information (whether or not already recorded) in respect of which such a claim could be maintained in legal proceedings.

In the case of Bellamy v Information Commissioner it was established that there are two types of legal professional privilege:-

Litigation Privilege which relates to confidential communications made for the purpose of providing or obtaining legal advice about proposed or contemplated litigation

Advice Privilege- applies where no litigation is in progress or contemplated. It covers confidential communications between the client and lawyer, made for the dominant (main) purpose of seeking or giving legal advice.

In this instance, the requested information constitutes Advice privilege

As this exemption is not prejudice-based we are not obliged to outline the harm in disclosure of the information. However we are obliged to consider the public interest in disclosure as follows:-

Public Interest in Disclosure

We appreciate the benefits in transparency and that disclosure would improve public knowledge & debate on this issue.

Public Interest in maintaining the exemption

We note that there is a strong public interest in protecting communications between the Council and its legal advisors.

It is not in the public interest to provide information if to do so would mean that the disclosure would inhibit people from proactively seeking legal advice if they consider that disclosure would be made public.

In accordance with Section 17 FOIA this letter represents a Refusal Notice for this request.

Section 12 (cost of compliance exceeds the appropriate limit)

12. — (1) Section 1(1) does not oblige a public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed the appropriate limit. 

The Appropriate Limit applies to costs/time the Council reasonably expects to use in carrying out the following activities to comply with your request:

  • Determine whether the information is held
  • Locating the information or documents containing the information
  • Retrieving such information or documents
  • Extracting the information from the document

In this instance, the process of extracting the information from the document exceeds the Appropriate Limit as provided by The Freedom of Information (Appropriate Limit and Fees) Regulations 2004.

The Appropriate Limit is currently set at £450 which is the equivalent to 18 hours of work at £25 per hour. It is estimated that to retrieve the information for this request would exceed 18 hours of work. The process of retrieving and extracting the data is therefore likely to exceed the Appropriate Limit.

This is because there are approximately 2 conducted per month for 24 each year x last 5 years when they have been conducted under GDPR for a total of 120, which would require a manual trawl of 30 minutes each and therefore to produce would exceed the threshold of 18 hours. 

In accordance with Section 17 FOIA this letter represents a Refusal Notice for this request. 

Should you wish to redefine or shorten your request then please resubmit another request to us and we will consider if we can respond. For example you may reduce the time frame to a few weeks or months. Please note this advice does not guarantee that your information can be provided.

3. A copy of all privacy impact assessments conducted by your organisation.

Under FOI Section 1(1) any person making a request for information to a public authority is entitled (a) to be informed in writing by the public authority whether it holds information of the description specified in the request (b) if that is the case, to have that information communicated to them. 

I am advised by my colleagues that Lambeth Council does not hold any such information. Consequently, the answer to Section 1(1)(a) is no and thus our further duty under 1(1)(b) does not arise on this occasion.

4. A copy of all data protection impact assessments conducted by your organisation.

This is exempt as per below:

I can confirm that we have reviewed your request but consider that the information constitutes legal advice and therefore engages Section 42: Legal Professional Privilege.

Section 42: Legal Professional Privilege

42. - (1) Information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications could be maintained in legal proceedings is exempt information

 (2)The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would involve the disclosure of any information (whether or not already recorded) in respect of which such a claim could be maintained in legal proceedings.

In the case of Bellamy v Information Commissioner it was established that there are two types of legal professional privilege:-

Litigation Privilege which relates to confidential communications made for the purpose of providing or obtaining legal advice about proposed or contemplated litigation

Advice Privilege- applies where no litigation is in progress or contemplated. It covers confidential communications between the client and lawyer, made for the dominant (main) purpose of seeking or giving legal advice.

In this instance, the requested information constitutes Advice privilege

As this exemption is not prejudice-based we are not obliged to outline the harm in disclosure of the information. However we are obliged to consider the public interest in disclosure as follows:-

Public Interest in Disclosure

We appreciate the benefits in transparency and that disclosure would improve public knowledge & debate on this issue.

Public Interest in maintaining the exemption

We note that there is a strong public interest in protecting communications between the Council and its legal advisors.

It is not in the public interest to provide information if to do so would mean that the disclosure would inhibit people from proactively seeking legal advice if they consider that disclosure would be made public.

In accordance with Section 17 FOIA this letter represents a Refusal Notice for this request.

5. A copy of all international transfer risk assessments conducted by your organisation.

Under FOI Section 1(1) any person making a request for information to a public authority is entitled (a) to be informed in writing by the public authority whether it holds information of the description specified in the request (b) if that is the case, to have that information communicated to them. 

I am advised by my colleagues that Lambeth Council does not hold any such information. Consequently, the answer to Section 1(1)(a) is no and thus our further duty under 1(1)(b) does not arise on this occasion.

6. A recent copy of your organisation's data protection compliance assessment using the Information Commissioner's Office (ICO)'s accountability framework template. If you are using your own standards to monitor compliance with the Data Protection 2018, please provide me with copy of it.

Under FOI Section 1(1) any person making a request for information to a public authority is entitled (a) to be informed in writing by the public authority whether it holds information of the description specified in the request (b) if that is the case, to have that information communicated to them. 

I am advised by my colleagues that Lambeth Council does not hold any such information. Consequently, the answer to Section 1(1)(a) is no and thus our further duty under 1(1)(b) does not arise on this occasion.

Section 12 (cost of compliance exceeds the appropriate limit)

12. — (1) Section 1(1) does not oblige a public authority to comply with a request for information if the authority estimates that the cost of complying with the request would exceed the appropriate limit. 

The Appropriate Limit applies to costs/time the Council reasonably expects to use in carrying out the following activities to comply with your request:

  • Determine whether the information is held
  • Locating the information or documents containing the information
  • Retrieving such information or documents
  • Extracting the information from the document

In this instance, the process of extracting the information from the document exceeds the Appropriate Limit as provided by The Freedom of Information (Appropriate Limit and Fees) Regulations 2004.

The Appropriate Limit is currently set at £450 which is the equivalent to 18 hours of work at £25 per hour. It is estimated that to retrieve the information for this request would exceed 18 hours of work. The process of retrieving and extracting the data is therefore likely to exceed the Appropriate Limit.

This is because there are approximately 2 conducted per month for 24 each year x last 5 years when they have been conducted under GDPR for a total of 120, which would require a manual trawl of 30 minutes each and therefore to produce would exceed the threshold of 18 hours. 

In accordance with Section 17 FOIA this letter represents a Refusal Notice for this request. 

Should you wish to redefine or shorten your request then please resubmit another request to us and we will consider if we can respond. For example, you may reduce the time frame to a few weeks or months. Please note this advice does not guarantee that your information can be provided. 

7. A copy of your organization's data protection policy.

Please see attached and note that personal data of non-strategic officers has been redacted as we consider disclosure would breach the Data Protection Act 2018 and therefore engage Section 40(2): Personal Data to this request. The definition of personal data is set out in provision 3 of the Data Protection Act 2018 as follows:

(2)“Personal data” means any information relating to an identified or identifiable living individual

(3)“Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to

(a)an identifier such as a name, an identification number, location data or an online identifier, or

(b)one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

We note the document requested contains information which would allow an individual(s) to be identified. I have considered whether it would be fair to disclose the information including whether disclosure would cause any unnecessary or unjustified damage or distress to the individual concerned; the individual’s reasonable expectations of what would happen to their information; and balancing the rights and freedoms of the data subject with legitimate interests.

In this case, I can confirm that it would not be fair to the individuals to disclose their personal data as it could cause distress to the individuals.

I do not consider that the individuals would expect the Council to disclose any information which may allow them to be identified. Although I acknowledge the legitimate interest in disclosing general information relating this document, I do not consider the legitimate interest overrides the rights and freedoms of the individual on this occasion.

In accordance with Section 17 FOIA this letter represents a Refusal Notice for this part of the request.

8. A copy of your organization's subject access request policy, procedures, and processes, including any guidance material such as folder structure, naming conventions, and redaction guides. 

Please see attached and note that personal data of non-strategic officers has been redacted as we consider disclosure would breach the Data Protection Act 2018 and therefore engage Section 40(2): Personal Data to this request. The definition of personal data is set out in provision 3 of the Data Protection Act 2018 as follows:

(2)“Personal data” means any information relating to an identified or identifiable living individual

(3)“Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to

(a)an identifier such as a name, an identification number, location data or an online identifier, or

(b)one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

We note the document requested contains information which would allow an individual(s) to be identified. I have considered whether it would be fair to disclose the information including whether disclosure would cause any unnecessary or unjustified damage or distress to the individual concerned; the individual’s reasonable expectations of what would happen to their information; and balancing the rights and freedoms of the data subject with legitimate interests.

In this case, I can confirm that it would not be fair to the individuals to disclose their personal data as it could cause distress to the individuals.

I do not consider that the individuals would expect the Council to disclose any information which may allow them to be identified. Although I acknowledge the legitimate interest in disclosing general information relating this document, I do not consider the legitimate interest overrides the rights and freedoms of the individual on this occasion.

In accordance with Section 17 FOIA this letter represents a Refusal Notice for this part of the request.

9. A copy of your organisation's privacy notices, including but not limited to employees, customers, ministers, special advisors (SPADs), complaints, NEDS, visitors, and CCTV.

Privacy notices | Lambeth Council

10. A copy of your organisation's due diligence questions for vendor management such as independent data controllers or processors.

Under FOI Section 1(1) any person making a request for information to a public authority is entitled (a) to be informed in writing by the public authority whether it holds information of the description specified in the request (b) if that is the case, to have that information communicated to them. 

I am advised by my colleagues that Lambeth Council does not hold any such information. Consequently, the answer to Section 1(1)(a) is no and thus our further duty under 1(1)(b) does not arise on this occasion.  

However, please note we do have a procurement process in place; if you wish to receive more information, I would suggest that you lodge a new information request.