FREEDOM OF INFORMATION POLICY AND PROCEDURE
Summary
The Freedom of Information (FOI) Act 2000 demonstrates a commitment to greater openness in the public sector. It enables members of the public to find out more about the activities and the decisions of public authorities and to ensure that services are delivered properly and efficiently. The Act has been in force since 1st January 2005.
This policy is intended to provide guidance and support all staff who may receive Freedom of Information requests or be required to provide data in response to requests.
Scope
This policy provides a framework for the Organisation to ensure compliance with the Freedom of Information Act 2000, Re-use of Public Sector Information Regulations 2005 and Environmental Information Regulations 2004.
This policy applies to all staff working for or on behalf of the Organisation (including temporary, fixed term, honorary contract staff, prospective employees who are part-way through recruitment, contractors or sub-contractors, agency staff, and Organisation Committee, Sub-Committee and advisory group members).
- Introduction
The Freedom of Information Act 2000 gives the public the right to request any non-personal information by the NHS, and in particular:
- the right to be told whether the information exists; and
- the right to receive that information.
Requests to re-use company information received under a FOI application in accordance with the Re-use of Public Sector Information Regulations 2005 are also covered by the policy.
Requests for information about identifiable living or deceased individuals must be dealt with in accordance with the Data Protection Act 2018 or Access to Health Records Act 1990, accordingly.
General Rights of Access
The Act gives members of the public a general right of access to recorded information (both paper and electronic) held by the organisation, subject to certain exemptions. This means that any person who makes a written request has the right to:
- Be informed in writing whether the organisation holds the information requested (this is known as the ‘duty to confirm or deny’);
- Have access to that information which the Organisation holds (subject to any exemptions which may apply).
It is a criminal offence to destroy information with the intent of preventing disclosure following a request.
Timescale for responding to requests
The Act requires that the requested information is provided to the applicant within 20 working days following receipt of the request. If the Organisation decides to make use of a qualified exemption to withhold information, then the deadline can be extended only in these circumstances to consider where the balance of the public interest test lies.
The Organisation will issue an acknowledgment of receipt to the applicant within 48 hours of receiving the request.
Publication Scheme
The Organisation already makes a large amount of information available in an open way. Information can be obtained through its website, leaflets, and other relevant publications such as the Annual Report and Accounts.
The Organisation is obliged to maintain a publication scheme (which is based on the Information
Commissioners Model Publication Scheme) under the FOI Act. A publication scheme is a guide to the information which will routinely be made available to the public by the Organisation.
The Organisation has a duty to regularly review its Publication Scheme as part of maintaining to ensure it is up to date. In liaison with the Information Governance Committee and Directors of the Organisation, the Organisation will routinely publish datasets on its website in order to reduce the administrative burden of FOIs.
Information Commissioners Office
The Act is regulated by the Information Commissioner who combines this responsibility with regulating the Data Protection Act (to be succeeded by new Data Protection legislation from May 2018). The Information Commissioner’s Office’s benchmark for good compliance is 90%. The Organisation will publish an annual FOI report setting out its compliance rate for the financial year.
Roles and Responsibilities
Peter Dand has ultimate responsibility for adherence to the Act.
Peter Dand is responsible for:
- Ensure organisational compliance with the Act
- Reviewing the public interest test in cases of qualified exemptions
- Responding to queries and complaints over the organisation’s service in handling FOI applications
- Carrying out internal reviews in liaison with the relevant Director/Chief Executive
- Ensure processes are implemented to maintain currency of this policy and the issue of a current Organisation Publication Scheme
- Act as the Champion for FOI awareness throughout the organisation
- Ensure that the general public and Organisation staff have access to information about their rights under the Act
- Ensure FOI applicants receive acknowledgement within 48 hours of submitting their request
- Ensure that a process is in place to assist with investigations into complaints and appeal
- Ensure that all requests for information are validated, recorded and co-ordinated in accordance with current procedures which allow responses to be sent to the applicant within legal timescales
- Perform a technical check of the managers’ responses for completeness prior to sending to the applicant
ice
- Advise and support staff responding to requests including the possible application of exemptions
- Provide advice and assistance to staff and those who propose to make, or have made, requests for information under the Act
- Devise and maintain standard documentation including response letters
- Create and publish a Disclosure Log
- Development and maintenance of the Organisation Publication Scheme
All Staff
All employees of the Organisation are obliged to adhere to this procedure. They must also ensure
they are aware of the implications of this policy, and of the process for the central handling of FOI requests.
FOI requests received by staff must be forwarded to Peter Dand, NorwoodandPerrinDPO@clinicaldpo.com
Where a request is received by hard copy letter, the date of receipt by the Organisation should be clearly marked on the request letter and this should be scanned and sent to the above email address.
Note the Organisation has only 20 working days to respond to a request for information. Where staff are unsure of whether a request for information needs to be logged as a FOI request they must contact their manager for advice.
All staff should be aware that under section 77 of the FOI Act it is a Criminal Offence to alter, deface, block, erase, destroy or conceal any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled. To do so can result in a fine of up to £5,000 and up to two years in prison.
Identifying Freedom of Information Requests
To be classed as a FOI request the request must:
- Be made in writing (this includes by electronic means such as e-mail)
- State the applicant’s name and include an address for correspondence (this can be an e-mail address)
- Describe the information being requested to enable the Organisation to clearly identify the information required. Where this is not clear the Organisation must seek clarification from the applicant.
It should be noted that requests do not need to mention the FOI Act or contain a reason for requesting the information.
A distinction must be made between requests for information and routine correspondence.
Requests for information that can be provided without any question (e.g. leaflets, other public / patient material, recruitment brochures, press releases) should be treated as business as usual.
It is also important to point out that the Freedom of Information Act 2000 only covers requests for recorded information and does not cover instances where explanations, opinions, comment, interpretations or unrecorded discussions are requested.
Once a FOI request has been identified and submitted, [insert name/role] will then send an acknowledgement to the applicant to confirm receipt of the request.
FOI Exemptions
The Organisation has a duty to receive all requests in a positive manner with a view to disclosing the required information. However, the Act does contain a number of exemptions from the duty to confirm or deny or to communicate information.
The Organisation can only withhold a document if one or more exemptions as outlined in Part 2 of the FOI Act apply to the information being requested. If information is properly exempt then there is no right of access to it under the Act. All the exemptions operate in different ways and, when applying individual exemptions, the following factors may need to be considered:
- The content of the information
- The effect that disclosure would have (for example, the possible impact on our relations with third parties or on any ongoing investigations/legal proceedings)
- The source of the information
- The purpose for which the information was recorded
There are two categories of exemptions; absolute and qualified.
- absolute – there is no duty to consider the public interest test; the information need not be disclosed and the Organisation is not obliged to comply with the duty to confirm or deny whether it holds the requested information.
- qualified – the Act requires the Organisation to consider first whether or not the exemption applies (taking into account the prejudice test where applicable) and secondly, if the exemption does apply the Organisation must consider the public interest test. Only where the public interest in maintaining the exemption or exclusion from the duty to confirm or deny outweighs the public interest in communicating information, or confirming or denying that the Organisation has such information, can the Organisation rely upon a qualified exemption or exclusion.
The Public Interest Test
Where it is intended to apply a qualified exemption, [insert name/role] will undertake and document a ‘public interest test’. This means balancing the considerations of disclosure and non-disclosure of information. If the public interest in withholding the information outweighs the public interest in disclosing it, it should be withheld. When a decision is made to withhold information the reasoning as to why that decision was made must be recorded e.g. a demonstration of the potential harm in disclosing the information must be made.
The Appropriate Limit
The appropriate limit is the point at which the Organisation can exempt a request due to excessive costs and staff time. The appropriate limit is set at £450 for opticians.
Costs are calculated on the amount of time staff would take in:
- Determining whether the Organisation holds the information requested;
- Locating the information or documents containing the information;
- Retrieving such information or documents, and
- Extracting the information from the documents containing it.
The rate for staff time is calculated at £25 per hour.
In all such cases the Organisation will offer advice and assistance to the applicant to narrow the scope of their request and bring it within the appropriate limit, rather than opt to charge them for their request.
Complaints
Where the applicant wishes to ask for an Internal Review of the information disclosed or the decision is not to disclose some or all of the information, the request should be made in writing to the [insert name/role].
Internal Reviews should be completed within 20 working days from the time the request for the review was received. In exceptional circumstances where the review is deemed complex, this may be extended to 40 days. The applicant should be informed of the timescale within which the review will be undertaken.
The applicant must be informed of the outcome of the review. Where the review overturns an original decision to withhold the information, the information should be disclosed to the applicant as soon as possible after the completion of the review.
To ensure the Internal Review stage is fair and impartial, a review of the decisions made during the original consideration for the release of information will be conducted.
Where the original decision is upheld, the Organisation is not obliged to undertake any further review. However, the applicant must be informed of their right of appeal to the Information Commissioners Office.
Full records of the progress of the review must be kept and any outcomes as a result of the review recorded. This will be subject to review and inspection by the Information Commissioner in any further investigations.
Personal Information and Health Records
Requests made by an applicant to review their own personal information and/or health records will not be disclosed under this procedure. All requests for personal information will be dealt with under the Data Protection Act 2018 (see DSAR Policy for guidance) or Access to Health Records Act 1990 as appropriate.
Organisation information is subject to copyright protection unless stated otherwise. If any person uses the Organisation’s copyright material, the source of the material must be quoted, and copyright status acknowledged. Unless expressly indicated on the material to the contrary, it may be reproduced free of charge for sole use, including for non-commercial research purposes, news reporting, in any format or medium, provided it is reproduced accurately, is not used in a misleading manner and is not used for commercial gain.
For information where the copyright is owned by another person or organisation, applications must be made to the copyright owner to obtain their permission.
Publishing the information or issuing copies may be subject to the provisions of the Re-use of Public Sector Information Regulations 2005 and will require permission of the Organisation and may require a fee.
Duty to Advise and Assist
All public bodies have a duty to assist applicants in requesting information. This could involve assisting applicants in making their requests by suggesting what information is available and/or contacting applicants who have made broad requests in order to specify information required so that it may be identified.
In circumstances where the Organisation does not hold the information requested, where known, applicants should be advised of the organisation that does hold the information and contact details supplied to them or if the applicant prefers, the Organisation can transfer the request to the organisation on the applicant’s behalf.
Dissemination and Implementation
This policy will be available to all staff via the Organisation intranet. Training will be given to all staff as part of mandatory Information Governance training at the Organisation.
Confidentiality
Whilst the purpose of the Act is to ensure that the Organisation is as transparent as possible the Organisation has a duty to maintain confidentiality relating to those who request information and to any request for information that falls under the confines of the Data Protection Act 2018.
Appendix 1 FOI Process Map
- FOI Request (sent to ?) immediately upon receipt
- Clock starts ticking. The Organisation has 20 working days from the moment an FOI request is received to respond (Time limit can be extended where public interest test applies).
- FOI requests must be sent to [insert name and email] and logged on FOI register
- Acknowledgement sent to applicant within 48 hours [who]
- Is the request clear? No – Request clarification from applicant
- Is the request clear? Yes – Will the cost/time limit for processing the request exceed 2 ½ days? Yes Section 12 of the FOI Act (exceeds appropriate limit) applied. Refusal letter sent to applicant outlining grounds of appeal.
- Is the information publicly available? Section 21 of FOI applies. Refusal letter sent to applicant with details as to where in the public domain the information can be located.
- Is the information exempt? Apply one or more of 23 available exemptions. Refusal letter / public interest test sent to [who] for sign off.
- Clear requests, where no exemption exists must be responded to, providing the requested information, within 20 days.
Appendix 2
Section 40 – Personal Information
Definition of ‘Personal data’:
Data which relates to a living individual who can be identified:
- a) From that data, or
- b) From that data and other information which is in the possession of, or likely to come into the possession of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Definition of ‘Sensitive Personal Data’:
- Race or ethnic origin
- Political opinions
- Religious or other beliefs of a similar nature
- Trade union membership
- Physical or mental health
- Sex life
- Commission of offences
- Criminal proceedings
FOIA Section 40 Exemption:
Under Section 40 of the Freedom of Information Act (FOIA), public authorities are, in general, exempt from the Act’s duty to provide access to personal data as defined above. Where an application for information constituting ‘personal data’ is made by the ‘data subject’ (i.e. the person who is the subject of the data), that information will be covered by the exemption in Section 40(1) and will automatically be channelled through the Subject Access Request (SAR) procedures established under the Data Protection Act 2018.
Subject access requests should be directed to the DPO [insert details].
Where an application for information is made by someone other than the ‘data subject’, disclosure of that information will often constitute a breach of the Data Protection Act and consequently the public authority will usually be exempt from its duties under the Freedom of Information Act as a result of Section 40(2).
Generally the exemptions in both sections 40(1) and 40(2) are absolute exemptions.
Please see below an ICO flowchart outlining the process of dealing with such requests:
https://ico.org.uk/media/for-organisations/documents/1167/flowchart_of_request_handling_under_foia.pdf