Statutory Requests for Information
Statutory Requests for Information
Requirements for managing requests for information to comply with the Freedom of Information Act 2000 (FOI), the Environmental Information Regulations (EIR), the UK General Data Protection Regulations and the Data Protection Act 2018.
Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.
What must I do?
For all types of request for Information:
- MUST: We must correctly identify the law which applies to the information being requested and manage the request in compliance with that law
- MUST: Information should be released unless there a strong legal justification for withholding it.
- MUST: Whenever we refuse to provide information, we must clearly and fully explain the reasons why
- MUST: We must provide advice and assistance to people making a request.
- MUST: We must always try to reply as quickly as possible, but always within the legal deadline.
- MUST: All employees must promptly provide all relevant information to a request co-ordinator if asked for it
- MUST: If we decide to charge for information, we must do so in accordance with a published policy.
- MUST: Where reasonable and practical, we must provide the information in the format requested by the applicant.
- MUST: When we respond to a request, we must tell the requestor about our internal review process.
- MUST: When responding to a complaint, we must advise the requestor that they may complain to the ICO if they remain unhappy with the outcome.
- MUST: We must maintain an up to date Publication Scheme available on our website to meet our obligations under FOI/EIR.
Why must I do it?
- The requestor does not have to specify under what legislation they are making a request. It is our responsibility to correctly identify which legislation applies.
- We serve the public. We should not hide information from them. The Acts are intended to make us more accountable to the public, to make our processes more transparent, and to encourage the public to trust us. Information should be released unless we can strongly justify withholding it (embarrassment is not a sufficient reason to withhold information). In some cases, we may have to release non-personal information because it is in the public interest although it might otherwise have been considered exempt. Also, it is a legal offence to deliberately withhold or destroy requested information where there is no legal reason to do so.
- We will not be obliged to provide all, or part of the information requested if a legal justification applies. If we believe a reason does apply then we must help the public to challenge our decisions effectively by giving our reasons and doing so clearly and fully in line with the requirements of the Acts. This is a legal requirement.
- The Acts require us to assist requestors, especially where we may be considering refusing a request, in guiding the public on how to clarify or re-scope their request to achieve the best outcome. This is a legal requirement.
- The laws provide statutory deadlines for responding to a request; FOI & EIR – 20 working days and DPA one month. There are limited reasons to extend the deadlines. The laws expect information to be well managed and accessible, therefore there is an assumption that requests should be routinely responded to well in advance of the deadline.
- In order to comply with regulator and corporate targets for fulfilling requests, all employees have a role to play in making information relevant to the request available promptly so that a response can be drafted within the timescale.
- The laws require us to make clear the basis for charging to ensure that charges are fair and un-obstructive. We must tell requestors whether a charge applies before we provide the information, and we should tell them what that charge will be.
- The acts duty on us to provide information in a format that the requester would find most convenient to their needs. We may refuse unreasonable demands and charge in certain cases, but in principle the requestor should be able to receive the information in the way they specify.
- It is a requirement of the act to have an internal review process. Where a requestor expresses dissatisfaction with a response, this must be treated as a complaint. The act states that expressing dissatisfaction is enough to require us to treat it as such. The ICO requires us to complete the internal review process before it will accept an escalation of a complaint to their office.
- This is a statutory requirement.
- This is a statutory requirement.
How must I do it?
- Follow guidance and training to correctly identify whether the request should be handled under FOI, EIR or DPA/GDPR.
- By following the points of this policy and accompanying guidance and training
- Ensure the employee making decisions about what can be released and drafting the response has access to legal guidance in order to make the response full and compliant with the law.
- Discuss the likely response with the requestor if their request is likely to be refused and explain options that would help them receive as useful a response as possible within the limits of the law. Although we should not ask requestors what they intend to do with the information they have requested, we can explain what we do hold and what is likely to be disclosable to them.
- We must record performance against the statutory deadlines to ensure we are aware of how well we are complying with the law and to help make changes to processes if necessary.
- Make sure the information you manage is accessible and well structured so that you can retrieve it quickly when requested.
- It is not lawful to charge for information without a published policy explaining the basis for arriving at a fee. In the absence of a published policy, charges are not made.
- There must be strong prohibitive reasons not to provide information in a format that is within our ability to provide. Conversion to a new format is however different to having to significantly edit and rearrange information to make it legible in the format requested. Under the latter circumstances, a refusal may be valid, but advice should be sought if unsure.
- We choose to manage complaints (known as Internal Reviews) within 20 working days. Where a simple error has been made in the response it may be that the issue can be resolved informally. If not, then a full review of how the request was handled is required. This must be undertaken by an employee who was not involved in drafting or approving the original request, although the employee drafting the response may discuss how the original request was handled with those involved.
- Ensure that the contact details for the ICO are provided to the requestor on any response documentation and explain when it is appropriate to escalate a complaint the ICO in order to make requestors aware of their rights
- To enable requestors to understand the types of information the organisation holds, what format it can be disclosed in, and whether charges apply.
What if I need to do something against the policy?
If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Headteacher via the School Office or by email: firstname.lastname@example.org with the subject line ‘GDPR Policy Exemption’.
Date approved: 16th August 2022
Approved by: Information Governance Lead on behalf of St Joseph’s Primary School Local Governing Committee
Next review: Annual Review to be completed by 31st August 2023
- Data Protection Act 2018
- UK GDPR
- Freedom of Information Act 2000
- Environmental Information Regulation 2005
- Education (Pupil Information) (England) Regulations 2005
Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.