Press "Enter" to skip to content

“Do as I say, not as I do” Is the ICO holding itself to its own standards?

The ICO claims it cannot search its own systems while instructing other public authorities to use targeted searches, avoid blanket refusals, and provide evidence for section 12 cost claims.
“Do as I say, not as I do” – The Information Commissioner?
FOI / Information Rights / Accountability

The ICO Can’t Search Its Own Systems – But Expects Everyone Else To Try Harder

The information rights regulator has spent months telling a requester it cannot search its own case management system, while quietly sitting on internal guidance that says exactly the opposite should be expected of public authorities.

Requests IC-462709-D9Z1 (SAR paper format), IC-462999-X8S7 (“real name” / section 8), IC-476273-R4Q4 (section 12 methodology) Authority Information Commissioner’s Office, acting as a public authority subject to FOIA Stage Initial refusals 28 January 2026 · Internal reviews 25 February 2026 · Disclosure 26 February 2026 WDTK WhatDoTheyKnow — requests submitted under pseudonym per ICO’s own guidance on anonymised requests Background Part of an ongoing series on The Reasonable Adjustment’s FOI strategy and the MoJ’s identity requirement for FOI requesters

When someone submits a Freedom of Information request to a public authority and gets told the cost of responding would exceed the statutory limit, they are entitled to expect a proper explanation. Not a formula. Not a phrase recycled from a template. A genuine, evidenced account of why targeted retrieval is unavailable, what methods were considered, and why the estimate is sound.

That, at least, is what the Information Commissioner’s Office expects of others.

It is considerably less clear that it expects the same of itself.

Two requests, two refusals, one pattern

This publication submitted two FOI requests to the ICO in late December 2025. The first, IC-462709-D9Z1, asked what the ICO knows about the Ministry of Justice’s practice of fulfilling subject access requests in paper format only, and how it has assessed that practice in light of UK GDPR, the Data Protection Act 2018, and the Equality Act 2010’s reasonable adjustment duties. The second, IC-462999-X8S7, asked for the ICO’s internal guidance on how section 8 FOIA is interpreted, specifically in relation to what the ICO means when it uses the phrase “real name” in its published guidance.

Both were refused on 28 January 2026 under section 12 of the Freedom of Information Act 2000, which permits a public authority to decline to respond where the cost of doing so would exceed the statutory appropriate limit: £450 for most public bodies, equating to eighteen hours of staff time at £25 per hour.

The refusals were, to put it plainly, thin.

For IC-462709-D9Z1, the ICO estimated approximately 1,100 Ministry of Justice complaint cases on its system, each requiring manual review at roughly three minutes per case, giving around 55 hours. For IC-462999-X8S7, a similar estimate cited “almost 450” MoJ-related cases at three minutes each, totalling approximately 22.5 hours.

Both refusals contained the same claim: keyword searching within the ICO’s case management system is not possible, no automation or tools exist to reduce the need for manual review, and the appropriate limit is therefore clearly exceeded.

The internal reviews: more of the same

“The Case Officer is an extremely knowledgeable member of the team with many years of experience… Therefore no sampling was required.”

ICO Group Manager, internal review response, IC-462999-X8S7, 25 February 2026

Internal reviews were requested for both. Both were refused on 25 February 2026, signed by the same Group Manager in the Information Access Team.

The review for IC-462709-D9Z1 was brief. The advice and assistance provided was said to be “adequate and acceptable as per our normal processes.” Keyword searches remained impossible. The estimate stood at 1,100 cases × 3 minutes = 55 hours. Review not upheld.

The review for IC-462999-X8S7 was, if anything, stranger. It repeated the same experienced-officer justification, confirmed that “no automation or tools exist which remove the need to manually review the relevant cases”, and stated it is “not possible to search the case management system for FOI Complaints which cite Section 8 as the reason for complaining.”

It then, in the very same response, advised that if the request were limited to complaints “recorded as being about section 8 of the FOIA”, that “would allow us to undertake manageable searches.”

Those two positions do not sit together coherently. Either cases can be filtered by classification, or they cannot. The review offered no explanation for the apparent contradiction.

The same review also raised, unprompted, the issue of aliases. It stated that the FOI Complaints Team “would not accept complaints from persons using an alias as the initial request would be invalid.” That is a substantive regulatory position. Neither this response nor any previous ICO correspondence has properly explained what the ICO means by “real name” for the purposes of section 8 FOIA: what legal test it applies, what authority it relies upon, or where the line between a valid and invalid name is said to fall. The ICO is content to assert the conclusion. It has repeatedly declined to particularise the reasoning.

Then came the disclosure

One day before both internal review responses were issued, the ICO responded to a third request, IC-476273-R4Q4, which asked for the ICO’s internal guidance on how section 12 cost estimates should be assessed. The ICO disclosed it. And what it disclosed is instructive.

The internal knowledgebase material includes a case-learning note on Stephen Campbell v Information Commissioner (EA/2022/0358), a First-tier Tribunal decision concerning HM Treasury’s use of section 12. The ICO’s own note records that the Tribunal was critical of HM Treasury for “failing to consider more cost effective ways of conducting those searches, or alternative places where the information may be held.”

It also records the following, directed at ICO case officers for use when scrutinising other public authorities’ section 12 claims:

“Case officers are advised to be alert to resisting a blanket claim that section 12 applies and seek evidenced reasons in support of the estimate in the context of the circumstances of the case.” ICO internal knowledgebase, disclosed under IC-476273-R4Q4, February 2026

Read that again. The ICO’s own internal material tells its staff to resist blanket section 12 claims and to demand evidenced reasoning in context.

The ICO’s own handling of IC-462709-D9Z1 and IC-462999-X8S7 involved the following: a blanket section 12 claim, a cost estimate based on officer experience rather than sampling or analysis, assertions that targeted retrieval and keyword searching are impossible, and no serious engagement with whether centrally held guidance, briefing material, or policy documents could be addressed separately from the complaint casefile universe.

The contradiction, side by side

What the ICO told this publication

“It is not possible to undertake key word searches.”

“No automation or tools exist which remove the need to manually review the relevant cases. This is down to functionality.”

“It was not possible to utilise a targeted retrieval method.”

IC-462709-D9Z1 and IC-462999-X8S7, January–February 2026

What the ICO’s own internal material says

Authorities should consider “more cost effective ways of conducting those searches.”

They should consider “alternative places where the information may be held.”

Case officers should be “alert to resisting a blanket claim that section 12 applies” and should “seek evidenced reasons in support of the estimate in context.”

ICO knowledgebase, disclosed under IC-476273-R4Q4

Why this matters

The ICO’s institutional authority rests on its credibility as a consistent and principled regulator. When it issues decision notices, publishes enforcement reports, and criticises public authorities for poor information governance, it does so from a position of assumed legitimacy: it holds others to account because it is equipped, and willing, to apply sound standards itself.

That legitimacy is weakened when the ICO issues responses that fall below the standard its own internal material says should be applied.

It is weakened further when those responses contain internal contradictions, affirming that section 8 filtering is both available and unavailable in the same letter, and when they substitute credentialed assertion for evidence.

It is weakened further still when the ICO repeatedly uses a legal formulation, “real name”, in correspondence while declining to explain what legal test underpins that phrase, what authority supports it, or how staff are instructed to apply it. The statute says “the name of the applicant.” The ICO says “real name.” The gap between those two phrases is where the standard is actually set, and the ICO has not explained it.

This is not an abstract concern. The ICO’s own published guidance on section 8 acknowledges that personal safety considerations may lead a requester to use a name other than their own, and that authorities should accommodate this. That acknowledgement sits uneasily with the ICO’s own position in these responses, which treats any request made under an alternative name as straightforwardly invalid without engaging with the circumstances or the legal basis for that conclusion. For journalists and researchers submitting requests through platforms that publish correspondence publicly, the answer to what a valid name actually requires matters. For anyone who has had a request dismissed on this basis without a properly particularised explanation, it matters.

What happens next

Further FOI requests have been submitted asking the ICO to explain the legal basis for its “real name” test, to provide the internal handling notes and QA records for these three cases, and to account for the inconsistency between its own section 12 guidance and its conduct here. The ICO has also been invited to comment on the contradiction directly. This article will be updated when responses are received. If you have had a FOI request dismissed on “alias” grounds without receiving a properly reasoned explanation, contact The Reasonable Adjustment.

The regulator’s example

The Freedom of Information Act has been in force for over twenty years. The standard of compliance across public authorities remains uneven and often poor. Vague refusals, unsubstantiated burden estimates, and stock responses are common. The ICO exists, in part, to push back against that.

What message is sent when the ICO itself relies on cost estimates justified by experience rather than evidence, declines to address whether narrower retrievable categories were considered, issues internal reviews that restate the refusal without engaging with the substance of the challenge, and contradicts itself on whether its own systems permit classification-based searching?

The message, at minimum, is that the standards expected of others are not applied with equal rigour internally.

Regulators shape behaviour not only through enforcement but through example. If the ICO’s own responses are indistinguishable in quality from the kinds of responses it criticises in decision notices, then the gap between what it demands and what it practises becomes a credibility problem, and the public bodies it regulates are paying attention.

FOI references IC-462709-D9Z1, IC-462999-X8S7, and IC-476273-R4Q4. All requests submitted to the ICO in its capacity as a public authority subject to the Freedom of Information Act 2000. Responses received January–February 2026. Internal review responses dated 25 February 2026. Disclosure under IC-476273-R4Q4 dated 26 February 2026. Nothing in this article constitutes legal advice. The ICO has been sent a copy of this article and invited to respond prior to publication.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *