The following descriptions are case closure outcomes used by the ICO’s Information Access Team when completing information request casework in our case management system.
Used when all the information requested is both held and we have provided it in full.
Some info provided, other info withheld
Used when some information requested has been provided but we have applied exemptions to other information to withhold it from disclosure. This also includes section 21 refusals, where the requested information is already publicly available elsewhere.
Information not held
Used when we have established that we do not hold the information requested.
Used when we have applied exemptions to all the information requested, in order to withhold it from disclosure. This also includes section 21 refusals, where the requested information is already publicly available elsewhere.
Used when the customer withdraws their request.
Some info provided, other info not held
Used when some information requested has been provided but we have established that we do not hold everything that has been requested.
Used when we are responding to a request where an informal response (like an explanation or clarification) is likely to be more useful to the customer.
Refused – vexatious/repeat request
Used when we are refusing to respond to a request under section 14 of the FOIA, because we consider the request to be vexatious, oppressive, or a repeat of a request from a customer we have already responded to.
Refusal to take action
Used when we are refusing a request from a customer seeking to exercise data protection rights—for example, requests to erase, amend, or restrict the processing of personal data held by the ICO.
Used when a request is clearly meant for another public authority or data controller and we have provided advice to the customer about how to best redirect their request.
Refused – cost of compliance
Used when we are refusing to respond to a request under section 12 of the FOIA, because we have assessed that to comply with the request will exceed the appropriate limit set by the legislation—for the ICO this is 18 hours.
Used when we are refusing to respond to a request from a customer in relation to their personal data, where we consider the request to be excessive or deliberately designed to cause disruption with no clear intention to exercise the customer’s data protection rights.
Used when we are complying with a request from a customer seeking to exercise data protection rights—for example, requests to erase, rectify, or restrict the processing of personal data held by the ICO.
This is an administrative closure type for cases where we have requested clarification of a request within the last 28 days but have not yet received a response; or where a response to a request has been provided but the customer has asked for an internal review to be carried out and the review is currently ongoing.
Used where we are refusing a request under the Environmental Information Regulations (EIR) where dealing with the request would create unreasonable costs or an unreasonable diversion of resources; and an equivalent request would be found ‘vexatious’ if it was subject to the Freedom of Information Act.
Some info provided, further info requested
Used when we are providing some of the information requested but have required clarification or some other action from the customer—for example, providing authorisation if they are acting on behalf of someone else—before we can respond to the request in full. If a case is closed using this outcome it means the customer did not reply with the necessary clarification or action.