After an online chat I finally got my request through to the legal department, only to be told that because it was a corporate account the DPA does not apply, and also; under Part 4 Section 93 of the IPA the CSP is not allowed to release the ICR data to me.
So I replied and re-iterated that the moment my SAR arrived identifying me, and linking me directly to the ICR data in question - also providing my authority as the account holders director - the DPA does apply as my name is linked to the internet usage [and that as my internet usage may contain specific records] and sensitive personal data.
Section 93 also refers to ensuring that the CSP puts adequate controls in place to retain the data in a secure manner. Nothing to do with disclosure. I can find no provision of the IPA which prevents the disclosure of ICR to the data subject(s) in question.
I'm the middle of designing and developing anti-spam security solution so frankly just don't have the time to focus on this at the moment. Whilst legal opinion appears to be that the IPA is not legal, I doubt the Prime Minister or Home Secretary are willing to have that "grown-up conversation". However ICO has enough of a fight ahead convincing the cabinet that it needs to keep parallel laws to keep trading with Europe.
Time to draw another spidergram and send the details to ICO - I can't imagine that the government regulator will do anything other than side with the government communications provider in this case.
I am Jack's total lack of surprise.
