GDPR: The Rise in FOI and how to comply
The session was centred on the Rise of Freedom of Information requests and tips in how to manage requests.
What Is Freedom of Information and who does it affect?
Freedom of Information refers to the Freedom of Information Act - A form of legislation that was launched in 2000. The main purpose of the act is to regulate access to data of public bodies and also to inspire transparency with the general public as to how these bodies are being managed.
It is important to note that this act does not actually relate to Data Protection and is a facet on its own, even though it might be slightly similar.
The two main things that arise from the act are:
a) Public authorities being required to publish / make accessible certain information
b) Individuals are allowed to make FOI requests for information they feel should be more readily available.
Most schools fall under the scope of being public bodies, including trusts and academies. However, this isn’t the case for certain independent / private schools.
In the past local authorities seemed to manage FOI matters on behalf of schools, but it has become clear over time that FOI requirements apply to each individual school and might be better suited to the school completing them itself. Meaning many schools are now familiar with receiving FOI’s requests directly and adapting to manage these internally.
The best starting point with dealing with a FOI request is ensuring that you have a Freedom of Information policy in place. This policy should contain a publication scheme which would detail which information / data the school commit to make accessible to the public. Judicium can assist with a template policy for this.
What is needed for a valid FOI request and what are the time frames to respond?
The Key points to consider are:
- A request can be made by anyone and you don’t need to know who the requester is.
- It must however include the requester’s real name, however; you shouldn’t verify identity unless it’s clear that the requester is using a pseudonym.
- The request must be in writing and cannot be made verbally as in the case with SARs.
- It must specify an address for responding - this could be an email address or postal address.
- The request does not have to mention the FOI act for it to be a valid one.
- The request does not have to be directed to a particular member of staff for it to be valid. Thus, it is key to create staff awareness in order to ensure staff pass these on to the relevant person.
The timeframe for a response is 20 school days OR 60 working days, whichever is shorter. Working days are classed as days other than Saturday, Sunday or Public Holidays. This timeframe has been designed to give schools suitable time for taking into account school holidays.
The time period starts from the time the request has been received and not when it has been received by the nominated request handler. It also starts the first working day after the request has been received, and not the actual day of.
Why is it important to comply with these requests?
Previously there was a habit of organisations not complying with these requests because they saw the request being made to several schools locally, so they assumed that it does not actually apply to them. Another example might be of a company using it as a marketing technique to sell you something but you aren’t interested. Regardless of the situation, it is still required to comply with them.
The ICO have also started to take more steps to enforce compliance with requests. The main reason for this is the fact that it is a legal obligation - you must release the information unless there is good reason not to.
The ICO have a duty to investigate any complaints it receives about organisations not complying with FOI legislation and can direct a school to comply with a request and make that decision public. It must be noted that the ICO cannot actually fine you for breaches of the act or compensate individuals. However, a breach of the act is unlawful and the ICO publish details of non-compliance
In addition to the above, if you destroy, hide or alter requested data this is in fact is considered a criminal offence and can be enforced through this way as well.
It is also seen as a point of public trust. Some of these individuals send communications out to multiple organisations and will name and shame those who don’t respond.
Exemptions that apply to information you need to provide:
Unlike with SARs, you can possibly refuse to comply with a request if it takes too much time to deal with. If it is likely to take 18 hours or more, you can refuse to comply or actually charge the requester a fee to comply.
You should however still hold the data as it is possible the requester can refine the request to fall within the time limits. The opportunity should also be given to refine the request and explain why it would go over the limit. You cannot simply say it would take over 18 hours as this needs to be estimated and you can only factor in tasks such as determining whether you have the information, finding it, retrieving it and extracting the required data. Note that to work out whether exemptions apply should not be factored in, nor can any time you have used for redaction.
There are a number of different exemptions and examples include:
- Prejudicing commercial interests
- Prejudicing law enforcement,
- Endangering health and safety,
- Information intended for future publication
- Already reasonably accessible, to name a few
Another thing to be aware of is that all exemptions are “absolute” or “qualified” exemptions. Absolute exemptions means that you can rely on it, unconditionally, whereas qualified means you should consider the public interest before deciding whether to withhold.
Top Tips for dealing with FOI requests:
- If the request is unclear you are allowed to clarify: Some individuals can ask broad questions or ask questions which you don’t specifically have an answer to. For example, how many pupils have been punished by the school in the last 12 months? You can clarify what is meant by punish. Does this mean exclusion, or something else? However, if you do need to clarify the timeframe doesn’t start until you receive this clarity.
- If we do not hold the data, we do not actually need to create it: If someone asks you for meeting notes of discussions, for example, about a health and safety meeting that never took place, you don’t need to create it.
- Do be aware that if you hold the information, but just not in the way that the requester has phrased, this doesn’t mean you should refuse the request and an answer should be provided where it can. For example, if someone asks “do your examination centres require at least two staff members present at all times”. You may not have this down officially somewhere, but you might have records of who sits examinations. In this case you can simply confirm “yes”.
- Internal review: It is a recommended practice to have internal review in your policy / requests. Internal review is essentially a self-imposed form of appeal against your response. It is important that internal reviews are done by someone who didn’t handle the original request as self-critique might be hard to do. It is also important that internal review is made to challenge the outcome or process. This is not a general complaint and shouldn’t be handled under complaints policy.
- ICO guidance publication scheme: This is not really classed as a publication scheme; however, it does give some guidance on what to consider publishing. It doesn’t actually stipulate if you do or don’t and you should tailor the scheme to your school.
- This is not GDPR: Although FOIs are in a similar realm and might sometimes overlap, this isn’t necessarily GDPR. Thus, your DPO may not be able to assist. Also be aware some individuals title requests as FOI requests (or SAR requests) when they are in fact the opposite. Try not to focus on the title but what the person is actually asking for when making the request.
As part of Judicium’s GDPR service, we offer support on dealing with FOIs on behalf of clients. If you would like more information of how we can support you, please see details of the service here.
If you require any support in any of these steps, or would like to talk to someone surrounding some support for your school please do not hesitate to call us on 0203 326 9174 or email tara.jones@judicium.com.
Related content
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 2nd October, with our Data Protection Consultant Sam Hall.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 10th July, with our Data Protection Consultant Lane Baker.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 5th June, with our Data Protection Consultant Bethany Parker.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 8th May, with our Data Protection Consultant Jessica Gant.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 20th of March with Data Services Consultant Patrick Ballantine.
This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 14th of February with Data Services Consultant Sam Hall.
Sofa Sessions | Data Protection