Freedom of Information (FOI) Requests in 45 minutes

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 29th of November with Data Services Consultant Sofia Mastrangelo. This session focused on recognising a request, what to do when a request is received, and when requests can be refused.

Poll 1

Freedom of Information requests are very common and allow individuals access to information held by public authorities. i.e., schools. These notes will cover how to identify a request and what you should do if you receive one.

Public authorities spend taxpayers' money and make decisions which can significantly affect people’s lives (students) and allowing access to this information helps hold the public authorities (schools and Trusts) accountable for their actions.

NB: Freedom of Information Requests are not applicable to Independent Schools.

 There are two key duties:

1. To confirm or deny the information requested is held in a recorded form.

2. To disclose the relevant information requested.

An applicant does not need to give you a reason for wanting this information; however, you must justify why you may be refusing to disclose. This is where exclusions come in and these will be discussed in more detail further down.

1. How do schools identify and FOI? 

To be valid under the FOIA a request must be:

1. in writing
2. state the name of the applicant and an address for correspondence, and
3. describe the information requested

‘In writing’ covers requests submitted by letter and electronic form, including those sent through WhatDoTheyKnow.com and social networking platforms such as Twitter and Facebook.

The request does not have to make any direct reference to the Freedom of Information Act, or be the sole or main theme of the requester’s correspondence. In fact, a request buried within the text of a long piece of correspondence is as valid as a standalone request. Generally, a Freedom of Information request is a request for information.

The requester can be an individual, a company or a pre-existing and identifiable organisation or group. In each case, they must provide their real name, either of the individual or organisation. NB: A request made under a pseudonym is invalid.

The requester must provide enough of their real name to give anyone reading the request a reasonable indication of their identity. This means if you cannot identify the requester from the name provided, that request is invalid.

Generally, an FOI is a request for information about the organisation and not an individual. A request for personal information is a Subject Access Request (SAR). These two can get confused often. It is important to identify the correct legislation when acknowledging the request, notifying the individual what legislation the request would be handled under.

Examples of Freedom of Information requests include:

• “Please also provide the total number of children that attended the school during 2016-present?”
• “How many permanent exclusions has each year group had since September 2022?”
• “Under the Freedom of Information Act, please could I be provided with a copy of the school's master timetable?”

2. What should we do once an FOI request has been received?

You should notify your DPO a request has been received as they will be able to determine whether a request is valid and should support you in drafting an acknowledgement.

You have two separate duties when responding to these requests:

1. To tell the applicant whether you hold any information falling within the scope of their request and
2. To provide that information.

You have 20 working/school days to respond to a request. The time allowed for complying with a request starts when your organisation receives it, not when it reaches the data protection officer or other relevant member of staff.

It’s important to understand what it is you are being asked for. When a request isn’t clear, you have the right to request clarification, but must do this as soon as possible. NB: The timeframe does not start until clarification has been received.

The Freedom of Information Act only covers recorded information you hold. When compiling a response to a request for information, you may have to draw from multiple sources, but you don’t have to make up an answer or find out information from outside your organisation if you don’t already have it in recorded form.

Before you decide whether you hold any recorded information, you should carry out adequate and properly directed searches. NB: You must have convincing reasons for concluding that no recorded information is held.

If you don’t have the information the requester has asked for, you can comply with the request by informing them in writing.

If the requested information is available to them elsewhere, e.g., published on your website, you can direct them to where they can find it.

3. Should we record requests we receive? 

You should have data request log which records the following:

• Type of Request = FOI/SAR
• Name of the requestor
• Information requested
• Date of request received
• Individual who is responsible for overseeing the request
• Fee received yes/no (only applicable to FOI)
• Response date
• Search criteria used
• Exemptions applied
• Status of request (In progress, completed)

By having a log you are able to identify the amount of FOIs you receive, the information which is being requested and the actions which were taken and/or any exemptions which may have been relied upon including the tests which were conducted.

You may receive similar FOIs from different people such as parents, journalists, employees. But you should treat each request equally and information you disclose should not depend on who they are. You should only disclose information under the Act if you would disclose it to anyone else who asked. In other words, you should consider any information you release under the Act as if it were being released to the world at large.

Poll 2

It is a legal requirement to have a publication scheme which sets out your commitment to make certain classes of information routinely available. This could include policies and procedures, annual reports, and financial information.

It’s important that organisations have a Freedom of Information Policy and Publication Scheme accessible to individuals, which usually means displaying it on your website. You should include:

• a guide to information, specifying what information you publish and how it is available.
  • For example, online or by contacting you.
• a schedule of fees stating what you charge for information.

The Information Commissioner’s Office (ICO) released a model publication scheme public authorities can adopt. NB: If you’re a data protection client of Judicium, we have one readily available for you.

It’s also important to point out authorities should have a records management policy in place covering information security as well as record retention, destruction, and archive. Record Management forms an integral part of Freedom of Information. It’s important to know what information you hold, where you hold it and how you hold it.

Judicium provide an annual audit which includes data mapping, also known as records of processing, which details the cycle of data being processed within your organisation. We also implement a data destruction log for large scale files such as Finance, Personnel, and Health and Safety. A destruction log isn’t a legal requirement, but it is recommended for good practice for you to be able to evidence the date those files were destroyed, and the method used.

Judicium customers have access to Jedu, where they will see this available within the documents section.

4. Can we charge for information? 

Yes, in most cases. The Act does not allow you to charge a standard flat fee, but you can recover costs such as photocopying, printing and postage. However, it is harder to justify charging for electronic requests. You cannot normally charge for costs such as staff time spent on searching for the information.

If you wish to charge a fee, you should notify the requestor of any charges involved at the time of acknowledging the request. You do not have to send the information until you have received the fee, but this doesn’t mean the deadline (20 working days) stops while you are waiting for the fee.

In other words, you should issue the fees notice within the standard time for compliance. Once you have received the fee, you should send out the information within the time remaining.

5. What does neither confirm nor deny mean? 

This is applied when confirming the requested information is held, and/or denying it is held, would unavoidably involve disclosure of details which should not be disclosed, or which would be damaging if disclosed, and which are, as a result, exempt.

These might appear as trick questions. For example, if a number of schools within the same area/MAT receive the same FOI asking for “number of complaints made about a specific individual.”

Confirming or denying this information is held could do two things:

1. Identify that the individual works there.
2. Identify that complaints are in fact held.

In this instance, we would advise to Neither Confirm nor Deny. Your DPO should be able to help identify when this is applicable.

6. What information is exempt from disclosure under FOI? 

There are 23 exemptions under the Freedom of Information Act. They range from national security, health and safety, court records, to law enforcement.

The most common exemptions which schools usually look to rely on are:

• Personal Information where the applicant is either the data subject or a third party.
• Legal Professional Privilege where legal professionals have been involved and advising the school on legal matters.
• Trade Secrets and/or Commercial Interests where complying with the request could prejudice someone’s commercial interest, such as the rates offered to you or a purchase price.
  • This could affect your future bargaining position and/or the company who has provided these offers/rates.

Personal Information Exemption Example

It’s important to highlight that when responding to an FOI, you must not disclose information about others where they are likely to be identified. For example, a request for the “number of staff members who left the organisation during the last academic year due to stress and anxiety and the salaries of those staff members.”

If the number of individuals is low (usually under 10) then this combined with other information or a separate request, leads to the individual likely being identified, resulting in disclosing both medical and financial information. This could therefore fall under a Personal data exemption.

No exemption can be used as a blanket exemption. There may be situations where it is reasonable to disclose certain information, such as a request coming in regarding IT devices and the procurement of those devices. The question may be “what is the staff name of your IT Manager/Director?” If the information is already publicly available, the risk of disclosing that information is likely to be low.

You should speak to your DPO about any concerns you have regarding disclosures.

7. What is meant by 'conducting a test' before relying on an exemption? 

Each exemption requires a different approach/test. Most of the exemptions are qualified, meaning you cannot rely upon an exemption until the relevant test has been applied.

There are two types of tests:

1. Public Interest Test - a balancing test on factors in favour of disclosure and factors against disclosure.
   • Imagine it as scales, which way the scales tip depends on the arguments for and against. NB: The majority of these exemptions rely on this test.
2. Prejudice and Likelihood Test - evaluates the likelihood of harm with or without disclosure. Not all exemptions require this particular test, but if it is required, it should be completed prior to the Public Interest Test.
   • During this test you need to be able to identify what is likely to be harmed by disclosure, what harm is expected (there needs to be a direct link, not hypothetical) and why as well as the likelihood of that harm happening.

There are 9 out of 23 exemptions which do not require a test. These are called class based.

Your DPO should be able to identify which tests are required depending on the exemption and the test should always be recorded.

Once the tests have been conducted and the exemption is upheld, you should always inform the requestor that the data is held; however, it is held under the relevant exemption and the reasons why. It is important to inform the individual that they have the right to appeal by contacting the ICO.

8. Best practice advice

1. Ensure your Freedom of Information Policy and Publication Scheme is readily available (i.e., website).
2. Keep a log of the requests received.
3. If you are looking to rely on exemptions, ensure the correct tests are conducted and record them before relying on an exemption.
4. Maintain a destruction log which forms an integral part of record management.

9. Key points to take away about FOIs 

• The FOIA only applies to public authorities
• Know the differences in your statutory deadlines
• Be careful to not identify or disclose personal data relating to individuals when it is not reasonable to do so
• If the information is not recorded/held – you do not need to provide it.

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.