Skip to main content

Freedom of information and environmental information regulations policy

Contents

1 Introduction

The Freedom of Information Act (2000) (FOIA) and Environmental Information Regulations (2005) (EIR) provide any individual the right to request any recorded information held by a public authority.

The FOIA and EIR place a legal obligation on the trust to inform the person making the request whether the information requested is held by the trust and, if so, to provide a copy of the requested information unless it is subject to an exemption.

The right to obtain a copy of information held by the trust may be subject to an exemption or exception as detailed in the FOIA and, or EIR.

The FOIA and EIR makes it a criminal offence to alter, deface, block, erase, destroy or conceal any record held by the trust, with the intention of preventing disclosure to all or part of the information that an applicant is entitled to.

Penalties can be imposed on both the trust and employees for non-compliance with the FOIA or EIR.

All requests must be made in writing and the trust legally has 20 working days in which to respond to a request for information.

If an individual is seeking information about themselves, it is exempt under the FOIA, but is covered by the ‘subject access’ provisions within the Data Protection Act (2018).

The FOIA provides a right of access to information held by a public authority, however, where a request has been made, and the requester wishes to re-use the information, the requester must apply to the trust for a re-use licence.

2 Purpose

This policy has been written to provide employees with an understanding of the FOIA and EIR, including the role of the legislation and the responsibilities of the trust.

This document has been written to ensure that all trust employees comply with the relevant legislation in relation to the provision of a trust-wide, robust service providing relevant access to requested information, delivered in partnership with the information governance (IG) department.

The policy provides guidance on the procedure and responsibilities to assist all employees in handling and processing such requests for information.

3 Scope

This policy applies to all employees working within the trust who are involved in recording or holding information that is covered by the act.

This policy is not designed to be a guide or a statement of procedures in complying with the FOIA and EIR. Guidance for employees will be provided within training and other related documentation.

Within the context of the FOIA and EIR, the term “information” means every piece of information held by the trust, whether paper or electronic. It includes all draft documents, agendas, minutes, emails (both work and personal), diaries, images, audio and even rough handwritten notes. This policy applies to all information held by the trust.

Every trust employee has a legal duty to preserve formal records of their official activities which must be accurate, adequately named and indexed for easy retrieval or publication. Poor record management itself is not an offence, but it may lead to an inability to comply with Freedom of Information requirements.

This policy is not a records management policy but should be integrated with trust’s records management structures.

4 Responsibilities, accountabilities and duties

4.1 Persons with lead responsibility for this policy are:

4.1.1 Chief executive

The chief executive is accountable for having policies and procedures in place to support best practice, effective management, service delivery, management of associated risks and meet national and local legislation and or requirements in relation to and including the Freedom of Information Act (2000). The trust’s qualified person is the chief executive.

4.1.2 FOI officer

The person within a public body who is responsible for compliance with the Freedom of Information Act.

4.1.3 Information governance (IG)

The IG department is responsible for the administration of a centralised request for information service and ensuring that all requests are valid.

In line with the code of practice issued pursuant to section 45 of the FOI Act the IG department will:

  • provide advice and assistance to persons making requests for information
  • transfer requests to another authority in respect of information that is not held by the trust
  • consult with third parties
  • ensure confidentiality obligations are considered
  • notify requestors of the trust’s complaints procedure when communicating responses

In line with the code of practice issued pursuant to section 46 of the FOI Act the IG department will:

  • have functional responsibility for records management
  • ensure the trust’s records management policy is reviewed at regular intervals and, if appropriate, amended to maintain its relevance
  • ensure designated colleagues of appropriate seniority have lead responsibility for records management within the trust
  • ensure systems are in place for record creation, keeping and maintenance
  • ensure the disposal of records is undertaken in accordance with trust policy
  • facilitate the performance of the public records office by ensuring the timely and effective review and transfer of public records

The IG department will ensure valid requests are referred to the service that holds information that falls within the scope of the request and, where applicable, ensure that relevant information is returned to the Team and a response provided to the applicant within the timescale laid down by the FOI or EIR act.

4.2 All colleagues

Are responsible for:

  • creating and maintaining records which are accurate, appropriate and retrievable. This will include adherence to standards for referencing, titling, filing and authoring documents, both electronically and on paper
  • ensuring that requests for information and possible re-use are passed in a timely manner to colleagues who are responsible for responding
  • ensuring that disclosures are not made outside the defined process so that inappropriate disclosures are avoided
  • ensuring that documents which fall within the requirements of the publication scheme are provided for publication
  • bringing new documents or classes of information that have not been previously published to the attention of information governance, who will facilitate agreement on publication of such material(s)

Employee responsibilities will be set out in contracts of employment. A breach of these responsibilities could result in disciplinary action.

5 Procedure or implementation

The process flow diagram in appendix E illustrates the trust’s process for handling requests for information.

The FOIA, section 8, and EIR regulation 4(2), make it a duty for a public authority to have an efficient process for responding to requests. The trust’s data protection officer (DPO) or head of information governance is responsible for ensuring the trust has a process in place to manage all non-standard requests for information submitted to the trust.

Colleagues receiving requests for non-standard requests for information must pass them to the information governance department to action via email: rdash.foirdash@nhs.net.

All requests will be logged, referenced, acknowledged and a final trust response documented. The IG department will liaise with the appropriate colleagues to respond to a request for information and, where necessary, obtain director approval for the trust’s response to a request for information.

All requests for information must be:

  • received in permanent form, such as in writing or email (EIR requests can be received verbally)
  • contain the name and correspondence address for the applicant
  • include sufficient information to enable the trust to identify the information requested

When the trust has processed a request for information, it will submit a “trust final response” to the requester. Within this final response, the following information will be provided:

  • how to request an internal review
  • contact the information commissioner’s office (ICO)

Information provided by another organisation, If the response to a request will contain information provided by another organisation, the trust will ensure that it is clear to the applicant where this information has come from, so that they can, if they require, raise a request to the source organisation.

In deciding whether to disclose information provided by another organisation in response to a request, the trust will apply the same process with regard to exemptions and will, if required, involve employees from the source organisation in discussions about possible exemptions.

If the response to a request is that the trust does not hold any relevant information, where it is known, the trust will direct the applicant to organisation(s) that may hold the information they seek.

If there is a request to re-use information provided by another organisation, the requester will be directed to the other organisation as they are likely to be the copyright holders.

The FOIA, section 10, and EIR regulations 5(2) make it a duty for a public authority to process all requests for information within 20 working days.

When the trust is in receipt of a request that fulfils the criteria above it will respond within 20 working days. Within this time, the trust must:

  • identify what information it holds and whether any exemption or exception applies (in full or part) to the information.
  • advise the applicant of any exemption or exception it believes applies (in full or part) to the information and inform them of their right to request an internal review, and then appeal to the information commissioner’s office
  • inform the applicant of any fee to be charged
  • provide any information not covered by an exemption or exception to the applicant in any manner specified by the applicant within 20 working days of receiving the request, provided any applicable fee has been received
  • otherwise advise the applicant if the request cannot be processed within 20 working days, giving an indication of the likely timescale for a decision to be reached and arrangement to ensure appropriate communication regarding this

The timing for response does not commence until the trust has sufficient information to process the request. Any communications to clarify a request will be undertaken without unnecessary delay.

Where the trust has sought clarification from a requester and has not received a reply within a month, the trust will send a reminder email to the requester. If the trust has not received a response for clarification within 3 months, the trust will consider the request to have been withdrawn by the requester and close the request.

The FOIA, section 9, EIR regulation 8(1) enable a public authority to charge a requester for making information available.

It is the aim of the trust to make as much information as possible available free of charge. However, there will be occasions when the trust will need to levy a charge for information, which will reflect the cost to the trust of providing the information.

The trust will not charge a fee for dealing with a request for information, in line with the national fees FOIA regulations, where the cost of the work to respond to a request for information is estimated to be less than £450. Where the cost is in excess of this amount, the trust will correspond with the applicant either to reduce the request (and therefore the cost) below the threshold. If agreement cannot be reached in such circumstances the trust may decide not to respond to the request. Requests for information under EIR will be charged in line with the national fees FOIA regulations.

In circumstances whereby the scope of the request needs to be reduced to remain within the fees regulations, or where clarification is required, then the clock measuring the 20 days can be paused between the date the applicant is notified and the date the clarification is received. If this period is in excess of 3 months the trust will consider the request to have been withdrawn by the requester and close the request. For example, if a request is received and it takes 3 days to identify the request and notify the applicant that clarification is sought, then 3 of the 20 days have been used. When the clarification is received, there are then 17 days remaining of the 20 in which to complete the response.

The FOIA, section 16, EIR regulation 9(1) require a public authority to provide advice and assistance to a person making a request. The trust will take all reasonable steps to advise anyone whose request does not fulfil the above criteria and what is required by the trust to progress their request.

Where the trust receives a request which is incompatible with the manner in which the trust holds information, it will contact the requester to provide advice and guidance.

Should an applicant make ‘vexatious’ or ‘repeated requests’ for identical or substantially similar information, the trust may inform the applicant in writing that they will not fulfil the request under Section 14 of the FOIA. Multiple requests from an individual will be aggregated (and dealt with as a single request) if the requests relate to a similar subject.

When responding in this manner the trust will inform the individual why it is considered that the request is ‘vexatious’ or ‘repeated’. The trust will also indicate what recourse the applicant has if they are unhappy with this decision.

5.1 Refusing an information request

The FOIA provides a number of restrictions or exemptions to the right of access. These are categorised as either absolute exemptions or qualified exemptions and are detailed at appendix B.

The DPO or head of information governance is responsible for facilitating responses to requests including the facilitation of decision-making about exemptions and the public interest in engaging colleagues involved in the areas the information relates to. Each request is decided on a case-by-case basis

An “absolute” exemption may be claimed where there is an explicit provision that the trust does not have to release the information. In some cases this will also remove the duty for the trust to confirm or deny that the information requested is held.

A “qualified” exemption may be claimed where there is a reason for not disclosing information. Before a final decision is made, a public interest test must be applied to each exemption claimed. If a qualified exemption is claimed, the trust will state the reasons why the public interest in maintaining the exemption outweighs the public interest in disclosure.

Where a request is refused, the trust will notify the applicant within 20 working days of receiving the request that this is the case and explain why the request is being refused.

In some cases, only part of a document requested may be withheld. In such circumstances the trust will ‘redact’ documents to edit out those elements for which an exemption is claimed.

EIR Exceptions, the act provides a number of restrictions or exceptions to the right of access. These are detailed at appendix C.

Complaints or appeals, any notice issued by the trust in response to a request for information will include details of the trust’s complaints procedure.

The trust’s process for handling FOI complaints (including appeals against a decision) will follow the key principles of the trust’s complaints policy. It applies to the complaints on the handling of information requests and complaints about the trust’s publication scheme. The trust’s FOI complaints process is detailed at appendix D.

Should the trust receive any notices served by the information commissioner it will make every endeavour to comply unless the trust feels it needs to appeal to the information tribunal.

Monitoring FOI requests, regular reports on the trust’s FOI requests are submitted to the trust board quarterly.

FOI publication scheme, the FOIA, section 19, makes it a duty for every public authority to adopt and maintain a scheme relating to the publication of information by that authority which is approved by the information commissioner. There is also a duty to review information published under the scheme from time to time.

The scheme must specify the classes of information, the manner of publication and whether the material will be provided free of charge or on payment. The publication scheme details the information that the trust makes routinely available to the general public.

The trust’s publication scheme follows the model publication scheme for health bodies in England and is available at: RDaSH publication scheme.

The seven headings of the scheme are:

  1. who we are and what we do
  2. what we spend and how we spend it
  3. what are our priorities and how are we doing
  4. how we make our decisions
  5. our policies and procedures
  6. list and registers
  7. the services we offer

Following the completion of a response to a request for information that is not covered by the publication scheme, consideration will be made whether this information should become part of the publication scheme.

The DPO or head of information governance is responsible for facilitating a review of the scheme on a regular basis and, where appropriate, seeking revised approval from the Information commissioner’s office if classes are added or deleted from the scheme.

The publication scheme will also state, where applicable, the sort of information that the trust considers to be exempt, outlining the nature of the exemption applied.

Where datasets are sought from the trust as a freedom of information request, the trust must, so far as reasonable, provide the information to the applicant in an electronic form which is capable of re-use in accordance with the terms specified in the ‘open government licence’. The terms of the open government licence may be found at open government licence (opens in new window).

The publication scheme must include publication of the datasets the trust holds in response to any request made under the Freedom of Information Act, and any updated version of that dataset, unless the trust is satisfied that it is not appropriate for the dataset to be published.

Right of Access Code of Practice (FOIA section 45) The Lord Chancellor’s Code of Practice issued under section 45 provides guidance for public authorities on their legal obligations under part 1 of the FOIA. This guidance has been adopted by the trust within this policy and in the trust’s FOI procedures and association with other key legislation.

Records Management Code of Practice (FOIA section 46) The Lord Chancellor’s Code of Practice issued under section 46 provides guidance for public authorities that are subject to the Public Records Acts (1958) and Public Records Act (1923), in relation to the creation, retention, management and destruction of their records.

The Lord Chancellor’s Code of Practice describes the arrangements public authorities should follow in reviewing public records and transferring them to the public record office or to places of deposit.

6 Training implications

Within the trust induction programme, all employees commencing employment are made aware of this process as part of the data security and awareness (IG) training session.

It is a requirement of the data security and protection toolkit (DSPT) that this training is refreshed annually.

The IG and DP department offer training to meet identified needs: this can be requested by contacting a member of the team.

6.1 All colleagues, data security and awareness (IG) training

  • How often should this be undertaken: Upon commencement of employment and annually thereafter.
  • Length of training: 1 and a half hours.
  • Delivery method: E-learning or face to face.
  • Training delivered by whom: IG or NHS Digital e-learning package.
  • Where are the records of attendance held: ESR.

As a trust policy, all colleagues need to be aware of the key points that the policy covers. Colleagues can be made aware through a variety of means such as:

  • all user emails for urgent messages
  • continuous professional development sessions
  • daily email (sent Monday to Friday)
  • group supervision
  • intranet
  • local induction
  • one to one meetings or supervision posters
  • practice development days
  • special meetings
  • team meetings

7 Monitoring arrangements

7.1 Policy content

  • How: Paper for debate.
  • Who by: DPO or head of IG.
  • Reported to: IG group.
  • Frequency: Every three years.

7.2 FOI and EIR response timescales

  • How: IG compliance report.
  • Who by: DPO or head of IG.
  • Reported to: IG group.
  • Frequency: Monthly.

7.3 FDE committee Report

  • How: Paper.
  • Who by: DPO or head of IG.
  • Reported to: FDEC.
  • Frequency: Quarterly.

7.4 Chief executive report

  • How: Paper.
  • Who by: IG officer.
  • Reported to: Board.
  • Frequency: Monthly.

8 Equality impact assessment screening

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

8.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, “not just clinically but in terms of dignity and respect”.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

8.1.1 How will this be met

No issues have been identified in relation to this policy.

8.2 Mental Capacity Act (2005)

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals’ capacity to participate in the decision-making process. Consequently, no intervention should be carried out without either the individual’s informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all colleagues working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005)to ensure that the rights of individual are protected and they are supported to make their own decisions where possible and that any decisions made on their behalf when they lack capacity are made in their best interests and least restrictive of their rights and freedoms.

8.2.1 How will this be met

All individuals involved in the implementation of this policy should do so in accordance with the guiding principles of the Mental Capacity Act (2005) (section 1).

10 References

11 Appendices

11.1 Appendix A Definitions or explanation of terms used

11.1.1 Freedom of Information (2000) (FOIA)

The FOIA provides individuals with the right to access information held by a public authority, to be informed whether the public authority holds the requested information and to be provided a copy of this information within 20 working days.

11.1.2 Environmental Information Regulations (2004) (EIR)

The Environmental Information Regulations 2004 set out the requirements for responding to requests for information relating to the environment and have been updated in line with the Freedom of Information Act (2000).

The EIR provide a right of access to environmental information held by public authorities and relates to any information that is written, visual, aural, and electronic or in any other material form on:

  1. the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components including genetically modified organisms and the interaction amongst these elements
  2. factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases in the environment, affecting or likely to affect the elements of the environment referred to in section (a) above
  3. measures (including administrative measures) such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in (a) or (b) as well as measures or activities designed to protect those elements
  4. reports on the implementation of the environmental legislation
  5. cost-benefit and other economic analyses and assumptions used within the framework of the measures and activities referred to in (c)
  6. the state of the human health and safety, including the contamination of the food chain where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in (a) or through those elements, by any of the matters referred to in (b) or (c)

Under the EIR, individuals are entitled to make a verbal request for information. In order for the trust to manage the request, all requests will be written down. Where the trust receives a request for information under EIR it will be processed in the same manner as an FOI request.

In line with the EIR the trust will endeavour to make environmental information available electronically.

11.1.3 Data Protection Act (2018) (DPA)

If an individual is seeking information about themselves, it is exempt under the FOIA, but is covered by the ‘subject access’ provisions within the Data Protection Act (2018).

Where there is an overlap between the FOIA and the Data Protection Act (DPA) with regard to information relating to living individuals, the relevant areas of the DPA will be taken into account.

The data protection act does not provide a right of access to information about third parties, however depending on applicable exemptions, the FOIA does set out:

  • that the information should be disclosed to the subject of the information if he or she were to apply under the data protection act
  • that disclosure should not contravene the data protection act principles set out in schedule 1 of the act
  • that the subject of the data has not exercised his or her rights to prevent processing likely to cause damage or distress
  • the information requested is not ‘sensitive’ within the terms of data protection act or about an individual’s personal life

11.1.4 Re-use of public sector information

Re-use of Public Sector Information Regulations (2005) enables the public sector to establish a framework that provides for:

  • identification of documents that are available for re-use
  • documents that are available for re-use at a marginal cost
  • dealing with applications for re-use in a timely, open and transparent manner
  • establishing a fair, consistent and non-discriminatory process

The trust will apply these regulations where it holds the intellectual property rights or copyright for the information and where re-use has been requested by a body that is not a public authority.

The FOIA provides a right of access to information held by a public authority; however, where a request has been made, and the requester wishes to re-use the information, the requester must apply to the trust for a re-use licence.

A standard response is included to the trust’s final response stating that if the requester wishes to re-use the information, then this is subject to a licence from the trust.

Where a request for re-use is received, this will be processed by the trust taking into consideration the reason for re-use. Where a person does not identify the purpose of re-use, this will be queried with the requester.

The trust will grant permission to re-use information under the terms of the open government licence for public sector information policy, unless there are clear grounds to withhold the licence.

Where the trust raises a re-use charge for information this will be applied on a cost recovery basis, taking into account the cost to provide the information and of the time spent on original creation. The information commissioners rate for determining fees will be used as the standard (£25 per hour at time of the publication of this policy).

Records kept by a public body such as the trust and covered by the Public Records Act (1958).

11.1.6 Classification

Systematic identification and arrangement of business activities and or records into categories according to logically structured conventions, methods and procedural rules represented in a classification system

11.1.7 Code of practice

A set of documented procedures used by public bodies to ensure they comply with legislation. For example, the NHS code of confidentiality.

11.1.8 FOI Officer

The person within a public body who is responsible for compliance with the freedom of information act.

11.2 Appendix B FOI exemptions

Absolute, if a request falls into this category, there is no requirement to consider the public interest test.

Qualified, if a request falls into this category, a public interest test must be considered and applied.

  • Section 21 (likely to be applied by the trust), information reasonably accessible to the applicant by other means: Absolute.
  • Section 22 (likely to be applied by the trust), information intended for future publication: Qualified.
  • Section 23, information supplied by or relating to bodies dealing with the security services: Absolute.
  • Section 24, national security: Qualified.
  • Section 26, defence: Qualified.
  • Section 27, international relations: Qualified.
  • Section 28, relations within the UK: Qualified.
  • Section 29, economy: Qualified.
  • Section 30, investigations: Qualified.
  • Section 31, law enforcement: Qualified.
  • Section 32, information contained in court records: Absolute.
  • Section 33, public audit: Qualified.
  • Section 34, parliamentary privilege: Absolute.
  • Section 35, policy formulation, ministerial communications, law officers’ advice and the operation of ministerial private office: qualified.
  • Section 36, effective conduct of public affairs: Qualified.
  • Section 37, communications with her majesty and the awarding of honours: Qualified.
  • Section 38 (likely to be applied by the trust), health and safety: Qualified.
  • Section 39 (likely to be applied by the trust), environmental information: Qualified.
  • Section 40 (likely to be applied by the trust), personal information: Absolute.
  • Section 41 (likely to be applied by the trust), information provided in confidence the duty of confidence and the public interest Information provided in confidence relating to contracts: Absolute.
  • Section 42 (likely to be applied by the trust), legal professional privilege: Qualified.
  • Section 43 (likely to be applied by the trust), commercial interest public sector contracts commercial detriment of third parties: Qualified.
  • Section 44 (likely to be applied by the trust), prohibitions on disclosure: Absolute.

11.3 Appendix C EIR exceptions

  • Regulation 12(3), personal data.
  • Regulation 12(4)(a), information not held when receiving a request
  • Regulation 12(4)(b), manifestly unreasonable.
  • Regulation 12(4)(c), The request is too general.
  • Regulation 12(4)(d), material in the course of completion, unfinished documents and incomplete data.
  • Regulation 12(4)(e), disclosure of internal communications.
  • Regulation 12(5), adverse effect.
  • Regulation 12(5)(a), international relations, defence, national security or public safety.
  • Regulation 12(5)(b), the course of justice, the ability of a person to obtain a fair trial or the ability of a public authority to conduct an enquiry of a criminal or disciplinary nature.
  • Regulation 12(5)(c), intellectual property rights.
  • Regulation 12(5)(d), the confidentiality of the processing of a public authority where such confidentiality is provided by law.
  • Regulation 12(5)(e), the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest.
  • Regulation 12(5)(f), the interests of the person who provided the information where that person:
    1. was not under, and could not have been put under any legal obligation to supply it to that or any other public authority
    2. did not supply it in circumstances such that or any other public authority is entitled apart from these regulations to disclose it
    3. has not consented to its disclosure
  • Regulation 12(5)(d), the protection of the environment to which the information relates
  • Regulation 12(9), information relating to emissions.

11.4 Appendix D Complaints process

11.4.1 Internal review

Individuals who are dissatisfied with the trust’s decision on an information request, or with the way in which the trust has handled a request for information under the Freedom of Information Act (2000), the individual(s) should address their complaint in writing to:

DPO or Head of Information Governance
Rotherham Doncaster and South Humber NHS Foundation trust
Woodfield House
Tickhill Road Site
Tickhill Road
Balby
Doncaster
DN4 8QN

If as an employee you receive a complaint about the trust’s handling of an information request or a complaint in relation to the trust’s FOI publication scheme, this should be forwarded immediately to the trust’s DPO or head of information governance.

The head of information governance will review, or appoint a senior manager to review, the complaint. The trust manager undertaking the review must:

  • Have a good understanding of the principles of FOI,
  • Not have been involved in the trust’s decision relating to the information request which has led to the complaint.

Complaints about information requests will be acknowledged within 2 working days of receipt. Upon acknowledgement of receipt, the complainant will be informed that the trust aims to respond to their complaint within 20 working days. All FOI complaints will be logged and tracked.

In line with the Lord Chancellor’s Code of Practice, the trust’s FOI complaints procedure will “provide a fair and thorough review of handling issues and of decisions taken pursuant to the Act, including decisions taken about where the public interest lies in respect of exempt information.”

The remit of the internal review will be as follows:

  • to consider whether the act was properly applied in the case of the initial information request, in particular, to review whether the information requested falls under any exemption or exceptions(s) cited in the trust’s response and whether the public interest test (if applicable) has been applied appropriately
  • to consider whether the trust has compiled with its stated FOI policy and procedures in the handling of the initial information request
  • to consider what weight should be given to any additional points made by the applicant when registering their complaint
  • to consider whether there are any lessons to be learnt in relation to the handling of future information requests
  • to make a recommendation on the trust’s response to the FOI complaint

In undertaking the internal review, the reviewer will have access to all the information held by the trust in relation to the information request and will be able to discuss the case with all those involved in the original decision. In many cases, the procedure should be simple and quite informal; however, in some cases a more detailed review may be required.

The internal reviewer will produce a written report on his or her review of the complaint, recording the outcome of the review and the reasons for it. Where applicable, the report should clearly set out whether the reviewer recommends that either:

  • the trust’s original decision is upheld
  • the trust’s original decision is reversed or modified

Once the internal review is complete, the internal reviewer will send a copy of the final report and recommendations to the head of information governance, together with a draft reply to the complainant.

The trust’s DPO or head of information governance will review the recommended response and reply to the complainant with the outcome of the trust’s internal review.

11.4.2 External review

If a complainant remains dissatisfied following the trust’s internal review stage, they have the right to complain to the information commissioner at:

Information Commission
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK95 5AF

ICO Website (opens in new window)

In all correspondence with the requester, the trust’s response will include details of this right of external appeal.

The information commissioner is a regulator, not an ombudsman. They will make an assessment whether the provisions of the act have been compiled with.

If a case is appealed to the information commissioner, the commissioner may require information to be provided by the trust in order to consider the appeal. Usually this will be the information that has been requested as well as the reasons for withholding it and any other relevant information. In the case of a qualified exemption, the explanation will need to cover how the public interest test has been applied. Such notices are called information notices and will specify the information required and the deadline for providing it.

Information notices must be complied with, refusal to comply could be treated as contempt of court if referred by the Information commissioner to the high court. The information commissioner may not require disclosure of any legal advice to the trust surrounding the request.

If the information commissioner upholds a complaint, a decision notice will be issued and served on the complainant and the trust. This will specify the steps that must be taken and the time period for doing so.

Decision notices are binding on the trust and refusal to comply may lead the information commissioner to refer the case to the high court which would deal with the trust as if it had committed a contempt of court.

Both the applicant and the trust can appeal the information commissioner’s decision to an Information Tribunal and thereafter, on a point of law only, to the courts.

The information commissioner also has the power to issue enforcement notices in relation to failure to comply with any requirement of part 1 of the act. These do not necessarily have to be linked to complaints. Failure to comply may result in contempt of court and can be appealed by the trust is the same way as decision notice.

11.5 Appendix E Process flow diagram

  1. Trust receives request for information.
  2. Is it a verbal request for information?
    • Yes, ask requester to place the request in clear writing with returnable correspondence address, end process.
  3. Log the request, send acknowledgement to the requester.
  4. Process the request in-line with the trusts FOI Procedures.
  5. Is the request relating to a living individual, for example, colleague or patient?
    • yes, FoIA exemption 40(2) or 40(5) may apply or EIR exemption 12(3). Consider DPA18, end process.
  6. Is the request relating to a deceased patient?
    • yes, FoIA exemption 41 could apply or EIR Exemption 12(5)d. consider access to Health Records Act (1990)
  7. Is the request relating to environmental information?
    • yes, FoIA exemption 39 could apply. Consider Environmental Information Regulations (2004) exceptions
  8. Is the request from a private organisation or company or individual?
    • yes, inform requester of re-use of Public Sector Information Regulations (2005)
  9. Inform the requester of the right to appeal to the trust or the ICO.

Document control

  • Version: 2.
  • Unique reference number: 598.
  • Date approved: 13 August 2024.
  • Approved by: Digital transformation CLE group.
  • Name of originator or author: Head of information governance or DPO.
  • Name of responsible individual: Director of health informatics.
  • Date issued: 14 August 2024.
  • Review date: 31 August 2027.
  • Target audience: All employees.

Page last reviewed: November 26, 2024
Next review due: November 26, 2025

Problem with this page?

Please tell us about any problems you have found with this web page.

Report a problem