Skip to content

ONR's GDPR Compliance Audit report

Date released
29 April 2021
Request number
202103072
Release of information under
Freedom of Information Act 2000

Information requested

I am formally requesting a (full copy in original format) of the ONR's last independent external Information Rights & GDPR Compliance Audit - Who executed the audit & on what date?

Information released

I confirm that under Section 1 of the FOIA, we hold the information in scope of your request. ONR’s GDPR compliance reports are conducted by the Government Internal Audit Agency (GIAA). The most recent of those reports was published on 3 February 2020 and the overall compliance marking is available at page 56 of our Annual Report and Accounts.

However, with regards to your request for the full report, after careful consideration, we have concluded that we are unable to disclose this information. This is because, if released, we believe it is likely to cause prejudice to the effective conduct of public affairs under Section 36 of the FOIA.

We believe that disclosure of the report would inhibit free and frank discussions in the future, and that the loss of frankness and candour would damage the quality of advice and deliberation and lead to poorer decision making.

We have carefully considered the balance of public interest in this case and believe, for the reasons set out in Annex A, that maintaining the exemption outweighs the public interest in disclosing the information. Further details about the exemption applied and Public Interest Test (PIT) are set out in Annex A. We understand that you will find this frustrating but can assure you we have given this request very careful consideration.

Annex A - Details of Exemption Applied

Prejudice to the effective conduct of public affairs (section 36 )

Section 36 grants an exemption if, in the reasonable opinion of a “qualified person”, disclosure of the information under the Act would, or would be likely to:

  • S.36(2)(b)(i) - inhibit the free and frank provision of advice, or
  • S.36(2)(b)(ii) - inhibit the free and frank exchange of views for the purposes of deliberation, or
  • S.36(2)(c) – prejudice to the effective conduct of public affairs.

ONR’s “qualified person” for the purposes of the FOIA is Adriènne Kelbie, our Chief Executive. In her opinion, section 36 is engaged here.

She is of the opinion that disclosure of this information would, inhibit the free and frank provision of advice by internal audit, the free and frank exchange of views for the purposes of deliberation during the internal audit cycle, and prejudice the effective conduct of public affairs (including the conduct of internal audits).

This is vital to ensure that findings from all audits and reviews can be used to improve processes and share good practice across the organisation, demonstrating our commitment to drive continuous improvement and raise standards.

As this is a qualified exemption, we are required to consider whether the public interest in maintaining the exemption outweighs the public interest in disclosure. We have therefore applied the Public Interest Test, as set out below.

Public Interest Test

Factors for disclosure

  • As set out in our Strategy 2020-25, we aim to be an exemplar of transparency and openness to retain, and enhance, the trust and confidence of the workers and public we serve.
  • Disclosure would provide the public with an increased amount of information and would reflect ONR’s policy of openness and transparency.

Factors against disclosure

  • An independent and objective Internal Audit service is essential to provide the assurance over the adequacy and effectiveness of risk management, control and governance. Disclosure of Internal Audit detailed findings and assessments would be likely to substantially inhibit the willingness of senior managers to fully engage with and support the Internal Audit process and the unrestrained, frank and candid exchanges required for the process to remain effective would be likely to be impaired. This factor is given significant weight in the Public Interest Test balancing exercise.
  • The potential for Internal Audit findings to be disclosed publicly would be likely to prejudice the:
    • willingness of management to engage with Internal Audit as part of the risk based planning process, which by design results in the commission of assurance activities focusing on areas of known weakness or greatest risk,
    • candour and openness of discussions with stakeholders during the delivery of Internal Audit assignments, and
    • acceptance of objective and evidence-based Internal Audit assurance opinions and recommendations to support improvements in controls and risk management.

These factors are given significant weight in the Public Interest Test balancing exercise.

  • There is sufficient information already in the public domain which addresses the public interests in openness and transparency. The overall assurance rating for the GDPR compliance review is reported in the Annual Report and Accounts. This factor is given significant weight in the Public Interest Test balancing exercise.

Conclusion

After careful consideration of the factors set out above, ONR considers the public interest in maintaining the exemption outweighs the public interest in disclosure, and therefore the information should be withheld from disclosure under section 36(2)(b)(i), (ii) and (c) of the FOIA. On balance, the interests of the effective conduct of public affairs outweigh the need for openness in terms of the specific information that has been requested.

Exemptions applied

Section 36

PIT (Public Interest Test) if applicable

Yes, detailed above.