PACTAASSART
All posts

22 Apr 2026 · 6 min read

ICO defensibility: what a complete SAR evidence pack actually looks like

A field guide to the artefacts the Information Commissioner's Office reviews when a SAR response is challenged — and the bare minimum you should ship from every triage.

What the ICO actually reviews

The ICO doesn't audit your software stack. They audit the trail. The artefacts that matter, in order:

  • The scope statement agreed at intake
  • Per-passage decision log with rule citations
  • Reviewer identity for every decision
  • Timestamps that pre-date the export
  • An integrity check that proves nothing was edited after sign-off

Hash chaining, briefly

Every ledger record includes the hash of the previous record. Edit any record and every downstream hash diverges. The verifier flags the break. It is mechanical, not editorial.

What "contemporaneous" looks like

If you record the decision the day before you respond, you can't show it was made before the response. Sign-off should land at the time of decision, not retrospectively.

NextThird-party PII in housing SARs: the TP-PII rule, explainedRequest a Triage Demo