Data Protection and Freedom of Information: How They Work Together

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 11th of January with our Data Protection Consultant Sofia Binns.

This session was centred around an overview of your obligations under FOI; understanding the difference between Freedom of Information and Subject Access Requests; and how to apply FOI exemptions to personal data.

What is the difference between a Freedom of Information Request (FOI) and a Subject Access Request (SAR)?

Freedom of Information allows individuals access to information about the organisation.

Some examples of Freedom of Information Requests we often see:

• Number of Pupil Premium students within the school in the last 3 years
• Exclusion statistics
• Monthly spend on Gas/Electric/Water/Broadband. Supplier information and contract end dates. (This is mainly from companies who are looking to acquire your business)

The Freedom of Information Act (FOIA) covers recorded information. Recorded information includes printed documents, computer files, letters, emails, and photographs.

The first question to ask yourself is “Do you hold this information?”

You do not have to create new information in order to answer it. NB: One of the key duties of Freedom of Information is to confirm or deny whether the information is held.

There may be parts of the request which are held by your school while other parts of the request are not. You can simply reply ‘information is not held,’ however, you may want to point them in the right direction of where they could find that information such as the Local Authority.

The Act does not give people access to their own personal data or personal data about others. Which is the difference with a SAR. Subject Access Requests allow individuals the right to receive a copy of their own personal data such as a Personnel file.

They both carry different statutory time limits:

• FOIs should be responded to within 20 school days
• SARs should be responded to within one calendar month.

Your DPO should help you to acknowledge the request and provide a response.

It’s important to note that a FOI request must be made in writing whereas a SAR can be made verbally or in writing.

NB: Only public authorities such as maintained schools/academies/local authorities are required to respond under the Act.

Live Session Polls

      

What information is exempt from disclosure under the FOIA? 

There are 23 exemptions under the Freedom of Information Act in total. This ranges from National Security, Health and Safety, Court Records and Law Enforcement.

However, the most common exemptions schools usually look to rely on are:

• Personal Information where the applicant is either the data subject or a third party
• Legal Professional Privilege where legal professionals have been involved and advising the school on legal matters
• Trade Secrets and/or Commercial Interests where complying with the request could prejudice someone’s commercial interest. For instance, the rates they offer you or the purchase price. Revealing these could affect your future bargaining position.

Personal Information Exemption Example

It’s very important that when responding to a FOI, you are careful not to disclose information about others where they are likely to be identified.

For example, a request for: “The number of staff members who have left the organisation during the last academic year due to stress and anxiety and the salaries of those staff members.”

If the number of individuals is low (usually under 10), combined with other information or a separate request, the individual is likely to be identified which could result in disclosing both medical and financial information. This could therefore fall under a Personal data exemption.

No exemption can be used as blanket exemption and there may be situations where it is reasonable to disclose that information.

For example, if a request comes in regarding IT devices and the procurement of those devices and it asks for the staff name of your IT Manager/Director. If that information is already publicly available, the risk of disclosing that information is likely to be low and therefore, it would be reasonable to provide that information.

As many elements of an FOI are assessed case-by-case, you should speak to your DPO about any concerns you have regarding disclosure, who will be able to access the information and whether any exemptions are likely to apply.

When to respond with Neither Confirm nor Deny?

This is applied when confirming or denying information is held would involve the disclosure of details that should not be disclosed, or would be damaging if disclosed, and are therefore exempt.

These might appear as trick questions. For example, if several schools within the same area/MAT receive the same FOI asking, “Number of complaints made about a specific individual.”

Confirming or denying whether that information is held could do two things:

1. Identify that the individual works there
2. Identify that complaints are in fact held.

In this instance, we would advise to Neither Confirm nor Deny.

Your DPO should be able to help identify where this is applicable.

What is meant by having to conduct a test before relying upon an exemption? 

Each exemption requires a different approach/test. Majority of the exemptions are qualified, meaning you cannot rely upon an exemption until the relevant test has been applied.

There are two types of tests:

1. Public Interest Test – A balancing test on factors in favour of disclosure and factors against disclosure. (Imagine it as scales with a tipping point depending on the arguments for and against). NB: The majority of these exemptions rely on this test.
2. Prejudice and Likelihood Test - Evaluates the likelihood of harm with or without disclosure. Not all exemptions require this particular test, but if it is required, it should be done prior to the Public Interest Test.
   • During this test you must identify what is likely to be harmed by disclosure, what harm is expected, why it is expected and the likelihood of that harm happening.

There are 9 out of 23 exemptions which do not require any tests, and these are called class based.

Your DPO should be able to identify which tests are required depending on the exemption and the test should always be recorded.

Once the tests have been conducted and the exemption is upheld, you should always inform the requestor that the data is held, however, it is held under the relevant exemption and the reasons why.

Should we be recording requests we receive?

Yes! You should have a data request log which records the following:

• Type of Request = FOI or SAR
• Name of the requestor
• Information requested
• Date the request was received
• Individual who is responsible for overseeing the request
• Fee received yes/no (only applicable to FOI)
• Response date
• Search criteria used
• Exemptions applied
• Status of request (In progress, completed)

By having a log, you are able to identify the number of FOIs you receive, the information which is being requested, the actions which were taken, any exemptions which may have been relied upon and the tests which were conducted.

You may receive similar FOIs from different people such as parents, journalists, employees. You should treat each request equally and the information you disclose should not depend on who they are. You should only disclose information under the Act if you would disclose it to anyone else who asked. In other words, you should consider any information you release under the Act as if it were being released to the world at large.

Freedom of Information Policy and Publication Scheme 

It is a legal requirement to have a publication scheme which sets out your commitment to make certain classes of information routinely available. This could include policies and procedures, annual reports and financial information.

It’s important that organisations have a Freedom of Information Policy and Publication Scheme accessible to individuals, typically displaying it on your website.

It should include:

• A guide to information, specifying what information you publish and how it is available
•  For example, online or by contacting your school
• A schedule of fees stating what your school charges for information

Judicium offer a publication scheme model to our clients which is readily available to bespoke and adopt to your school or Trust.

It’s also important to note that authorities should have a records management policy in place covering information security, record retention, destruction, and archive. Record Management forms are an integral part of Freedom of Information.

At Judicium our clients receive an annual audit and within that audit we discuss implementing a data destruction log for large scale files such as Finance, Personnel, Health & Safety. A log isn’t a legal requirement, but it is recommended for good practice for you to be able to evidence the date those files were destroyed, and the method used.

Can we charge for the information?

Yes, in most cases. The Act does not allow you to charge just a standard flat fee, but you can recover costs such as photocopying, printing and postage. You cannot normally charge for costs such as staff time spent on searching for the information.

If you wish to charge a fee, you should notify the requestor of any charges involved at the time of acknowledging the request. You do not have to send the information until you have received the fee however this doesn’t mean that the statutory time limit (20 working days) stops while you are waiting for the fee. Essentially you should issue the fees notice within the standard time for compliance. Once you have received the fee, you should send out the information within the time remaining.

What role does the Information Commissioner's Office (ICO) play with regards to FOIs?

Individuals have the right to complain to the ICO if they are not satisfied with the way the request has been handled or they do not agree with the exemption applied.

In the first instance, the requestor has the right to request for an internal review within 40 working days of the initial response. The internal review should be carried out by someone other than the person who issued the initial response. They should consider how the request was handled, whether the relevant information has been identified, and whether they wish to uphold the original exemption or not.

If a complaint is sent to the ICO, they are likely to want to resolve the issue informally. They assess the issues which were raised by the individual, the response and try to reach a satisfactory compromise.

The ICO may ask you to explain your decision, hence why it’s important to record the tests that were conducted when relying upon exemptions.

However, the ICO also have the power to issue a legally binding decision notice. Following their investigations, it will state whether you have complied with the law, and if not, what you should do moving forward.

If you fail to follow good practice as set down in the codes of practice, the Commissioner may issue a practice recommendation. For example, they may recommend that you introduce an internal review procedure or improve staff training. 

Top Tips to Take Away:

1. The FOIA only applies to public authorities.
2. Know the differences in your statutory deadlines.
3. Be careful to not identify or disclose personal data relating to individuals when it is not reasonable to do so.
4. If the information is not recorded/held – you do not need to provide it!

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.