ICO: ICE 360 Case Creation Automation
Automated case creation for the ICO's primary case management system, ICE 360.
Tier 1 Information
1 - Name
ICE Case Creation Automation
2 - Description
The ICO’s case management system - ICE 360 - uses an LLM in the automatic case creation process. The LLM is used to parse information found in unstructured complaints and queries submitted to the ICO via appropriate channels, and derive data for use in case creation. ‘Unstructured’ submissions to the ICO include direct emails to our casework, data protection, advice, and freedom of information mailboxes.
Manually creating cases in ICE 360 is a time-consuming and repetitive task, with frequent need for double-keying data. Automation significantly reduces the administrative burden of this case creation, and reduces the time required for ICO case officers to sift our inboxes and create cases where appropriate.
3 - Website URL
N/A
4 - Contact email
Tier 2 - Owner and Responsibility
1.1 - Organisation or department
Information Commissioner’s Office
1.2 - Team
Enterprise Applications
1.3 - Senior responsible owner
Senior Product Owner - Enterprise Applications
1.4 - External supplier involvement
Yes
1.4.1 - External supplier
Kainos Software Shout Digital
1.4.2 - Companies House Number
Kainos Software - NI019370 Shout Digital - 06926402 Nexer Digital - 06237914
1.4.3 - External supplier role
Kainos Software: Kainos are our contracted development partner for Dynamics 365 and surrounding ecosystem. Their role was solution design consultancy, solution development, and ongoing support.
Shout Digital: Shout were the previous contracted development partner for the ICO website. Their role was development of the website to pass structured data to the automation system.
Nexer Digital: Nexer are the current contracted development partner for the ICO website, and provde ongoing support.
1.4.4 - Procurement procedure type
Call-off from a framework
1.4.5 - Data access terms
Kainos Software have been provided with controlled access to data within our case management system as part of a development and support contract. This has been done in compliance with data protection legislation and all Kainos staff with access to the data have been subject to appropriate vetting checks. Kainos staff are provided access to development and test environments where no production data is stored. Access to production data is granted using the Principle of Least Privilege.
Our web development partner (formerly Shout Digital, currently Nexer Digital) is provided with controlled access to our website and associated ecosystem, which does include form submission data. Their staff are granted permission to production data only as necessary, using principle of least privilege, and all staff with access to production data are subject to appropriate vetting checks by the supplier.
Tier 2 - Description and Rationale
2.1 - Detailed description
Cases are submitted to the ICO in structured and unstructured formats - web form and direct email respectively. While the LLMs in use in case automation only apply to the function deriving data from unstructured submissions, full detail of the case automation functionality has been provided for transparency.
ICE Case Creation Automation: - Intercepts and parses structured data from ICO web form submissions - Intercepts and parses unstructured data through the use of an LLM from direct email communications to ICO mailboxes. - Formats and validates ingested data according to specified data contracts created for each case type. - Creates cases from ingested data wherever the data meets the appropriate criteria as per the data contract. - Populates created cases with all applicable data, associated contacts, organisations, and attachments. - Routes create cases to appropriate work queues for case officers. - Routes ingested data to appropriate work queues for manual case creation or intervention where automated case creation has failed (where the data is insufficient or does not meet our data contract validation criteria).
2.2 - Scope
The purpose of this tool is to automatically create cases in ICE 360 where the complaints or queries are submitted to the ICO via appropriate channels and the data is sufficient and of sufficient quality to automatically create cases.
The automated system will not perform any automation beyond case creation. No automated decisions will be made that will impact the data subject, complainant, or our customers. Automation will not make decisions regarding case outcomes or priority.
2.3 - Benefit
Case Creation Automation improves capacity of case management teams across the ICO by reducing time spent in the creation of cases. Automated case creation is intended to automatically and accurately create cases from data ingested in ICE 360, removing the need for manual and time-consuming processing by case officers.
A secondary goal is to reduce inaccuracies within our data, and therefore reduce regulatory and reputational risk. Inaccuracies are introduced through human error, and the use of workarounds that the current system demands.
2.4 - Previous process
It is estimated that manual case creation takes 12 to 15 minutes on average per case and requires 9.5 FTE per day.
Complaints and queries entered into ICE 360 via email and were routed to mailboxes, depending on their destination or origin, to be surfaced in ICE 360 interface in work queues. Case officers working on the ‘sift’ queues would then create cases from the ingested emails.
The method of creating a case from an email depends on the case type, but typically requires significant manual processing of data, and use of inappropriate and outdated workarounds for data entry that risk data accuracy and compliance.
Only once a case has been created and allocated to an appropriate work queue can a case officer begin to work on the case and communicate with the complainant/customer.
2.5 - Alternatives considered
Microsoft Automated Agents and Copilot were considered as a potential alternative in Dynamics 365. However, this would require a full migration to Dynamics 365 from the current infrastructure.
Tier 2 - Decision making Process
3.1 - Process integration
Case Automation in ICE 360 does not have influence on decision making processes. It provides no input into decisions that ICO employees make on cases, other than the input provided by our customers in their complaint or query.
The feature parses complaints and queries submitted to dedicated ICO mailboxes and derives structured data for us in case creation. The only decision that the automation will make is to allocate data to appropriate fields in the eventual structured data submission. The original source of the data is included in the case for validation by case officers.
3.2 - Provided information
The tool will aim to capture all information from a query or complaint and add this to an automatically created case. This is presented to an ICO case officer as a case with the derived data present in appropriate fields, and the original submissions attached to the case for validation.
3.3 - Frequency and scale of usage
On average in the past calendar year, 6,340 cases were created in ICE 360 per month. Automation is expected to handle upwards of 90% of our case creation, which at these figures would be 5,700 per month.
3.4 - Human decisions and review
The automated case creation process will look to automatically populate all details of a case into ICE 360, and match appropriate contacts and organisations. Where this is not possible, or the submitted data does not meet validation rules, all case data will be passed to a manual processing queue for manual case creation by a case officer. After a successfully automated case creation, a case officer will be required to manually review the information and submit feedback on the success of the automation. Following case creation, all decisions on cases will be made by case officers.
3.5 - Required training
Case officers have been provided with new business processes that define their responsibilities in terms of reviewing automatically created cases and providing feedback. Any future enhancements to the tool will be communicated with case management teams for adjustments to business processes and required training.
Users do not need training in the operation of the automated feature.
3.6 - Appeals and review
As this feature does not make any decisions regarding cases, there is no mechanism for appeal. The automated case creation process will take the data submitted by the complainant/customer and create a suitable case with said data. No decisions are made by the automated feature using this data.
Tier 2 - Tool Specification
4.1.1 - System architecture
System architecture largely exists in the Microsoft Azure ecosystem. Azure Storage is used for storage between web forms and Power Automate. Power Automate will route data to a secure Dynamics case creation API.
Emails are routed with Power Automate to an Azure Foundry LLM to parse unstructured data, before this flows back into the Power Automate case creation flow and through to the case creation API in Dynamics.
This detail outlines the key technical features and architecture for this use case, but sharing further detail may present security risks to the ICO.
4.1.2 - Phase
Production
4.1.3 - Maintenance
Maintenance of ICE 360 and associated services occurs on a regular basis through security patching and ad-hoc development updates. Regular security patching occurs monthly. The performance and functionality of ICE is tested following each update.
As a new addition to ICE 360, case creation automation will be reviewed regularly and updated in line with its performance.
4.1.4 - Models
Azure OpenAI GPT o3-mini
Tier 2 - Model Specification
4.2.1 - Model name
Azure OpenAI GPT o3-mini
4.2.2 - Model version
Azure OpenAI GPT o3-mini, 2025-01-31
4.2.3 - Model task
Parse unstructured email submissions to ICE 360 casework mailboxes and attempt to derive structured data from them, in accordance with data validation. This data is then to be submitted in a structured format to our automated case creation processes.
4.2.4 - Model input
Plain text emails, submitted to the ICO via dedicated casework mailboxes.
4.2.5 - Model output
Data parsed from plain text emails and structured into valid JSON to be processed by automated case creation processes (output controlled by a schema)
4.2.6 - Model architecture
Azure OpenAI GPT o3-mini Transformer model
Using Microsoft Azure OpenAI instance (weights, layers etc.. Are undisclosed)
4.2.7 - Model performance
Performance benchmarks taken from public AI comparison sources.
Accuracy: o3-Mini is optimised for reasoning tasks in STEM domains. Key benchmark results including: - MATH - 97.9% - HumanEval (coding) - 97% - MMLU - 86.9% - AIME 2025 (advanced maths) - 86.5%
Efficiency Token pricing: - Input - £0.83 per million tokens - Output - £3.32 per million tokens
Max token input: 200,000 Mak token output: 100,000
4.2.8 - Datasets
Using Microsoft Azure OpenAI instance (datasets are undisclosed)
4.2.9 - Dataset purposes
Using Microsoft Azure OpenAI instance (datasets are undisclosed)
Tier 2 - Data Specification
4.3.1 - Source data name
The ICE 360 Case Automation feature uses Microsoft Azure OpenAI. As such datasets are undisclosed, for the purpose of this document we have outlined the data that flows through this tool as opposed to data used to train the model.
4.3.2 - Data modality
Text
4.3.3 - Data description
Complaints and queries information submitted by ICO customers, including detail of data protection complaints, individuals effected and related organisations.
4.3.4 - Data quantities
Using Microsoft Azure OpenAI instance (datasets are undisclosed).
4.3.5 - Sensitive attributes
As the ICO are the recipient of complaints about organisations that are deemed to have disclosed sensitive data or protected characteristics, all manner of these sensitive attributes could pass through our tool in production. This data is not used to train the model.
4.3.6 - Data completeness and representativeness
We cannot comment on the completeness of the data used to train the Azure OpenAI model. Data that flows through the live tool will be representative only of the typical ICO customers.
4.3.7 - Source data URL
N/A
4.3.8 - Data collection
In relation to this tool in our production environment, complaints to the ICO are submitted via email by customers. Emails are routed with Power Automate to an Azure Foundry LLM to parse unstructured data, before this flows back into the Power Automate case creation flow and through to the case creation API in Dynamics.
The collected data is all taken from the emails submitted to the ICO.
4.3.9 - Data cleaning
N/A
4.3.10 - Data sharing agreements
No data sharing agreements are in place.
4.3.11 - Data access and storage
ICO case officers and case managers, and ICE 360 technical support teams all have access to data within cases in ICE 360. This data is protected through implementation of role based access policies, login via Azure Active Directory, and secure infrastructure relying on private connections only with permitted IP addresses.
Tier 2 - Risks, Mitigations and Impact Assessments
5.1 - Impact assessment
Data Protection Impact Assessment completed from January 2025 to March 2025, approved by the IAO on 26/03/2025, and published 22/04/2025.
5.2 - Risks and mitigations
Automated case creation could erroneously link a case to an inappropriate contact. Without due diligence by case officers, communication could be sent to inappropriate parties. Mitigation: The feature that matches organisation names to our existing database uses Levenshtein Distance Matching. This is an efficient and effective manner of matching organisations even with spelling errors or missing characters. Should we see occurrences of mismatched organisations automatically created through automation, we will adjust the parameter of the matching process to demand closer matches between entered organisation names and our existing database.
Where a case has been created by automation, this is flagged for manual review and feedback. As part of this manual review, it is expected that case officers check any contacts and organisations linked to the case are appropriate.
Where automation has not been able to accurately connect an organisation, a case is created without a valid organisation connected. A flag will indicate to case officers that the organisation could not be matched and a manual review is required. This process encourages manual review by case officers, and feedback allows us to identify any issues and make necessary improvements to the automation.