We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
1. Introduction
1.1 Information is an invaluable asset to any organisation. The practice relies on this information in order to carry out statutory and other functions as well as deliver services. However, holding this information imposes legal obligations as a public body. The central legislation that this policy document focuses on is the Freedom of Information Act 2000 (FOIA 2000) and to a lesser extent Environmental Information Regulations 2004 (EIR 2004).
1.2 The document provides a framework to meet legal requirements in relation to information requests that fall within the scope of FOIA or EIR legislation.
1.3 This policy relates to all information held by the practice regardless the format it is held or when it came into the possession of the practice. Furthermore, the information does not necessarily have to originate from the practice (e.g. it may have originated from another organisation, a contractor or any other third party). The only criterion is that the practice, at the time of the request, holds the information or it is held on the practice’s behalf by a third party.
1.4 This policy was last updated October 2021.
This document sets out the policy framework to assist in complying with practice’s obligation under the Freedom of Information Act (FOIA). It is not intended that this document provides a comprehensive guide as to the legal obligations that apply under the FOIA, and should be read in conjunction with the following references.
- Freedom of Information Act 2000
- Environmental Information Regulation 2004
- Section 45 (Freedom of Information Act) Code of Practice
- Guidance published by the Information Commissioner’s Office
2. Aim of the Policy
2.1 The aims of this document are to:
- assist workforce to comply with the law;
- to ensure free and reasonable access to information held by the practice;
- promote greater openness;
- provide increased transparency of decision making; and
- build public trust and confidence.
2.2 These aims will be balanced against the need to ensure the confidentiality of some information relating to such areas as personal privacy, confidentiality and commercial sensitivity where disclosure would not be in the public interest.
3. Our commitment
3.1 The practice is committed to openness about the way in which it operates and makes decisions and there will be a presumption in favour of the disclosure of information wherever possible. This policy sets out the general principles that will be adopted in response to requests for information under these statutory access regimes
4. Roles and responsibilities
4.1 Ultimate accountability for all decisions made relating to Freedom of Information and associated legislation lies with the Senior Information Risk Officer (SIRO).
4.2 Application of Section 36 exemption (FOIA 2000) can only be sanctioned by the Practice Board (“the authority’s primary decision-making organ”).
4.3 The SIRO is responsible for ensuring that sufficient resources are provided to support the requirements of this policy as well as making strategic level decisions which impact on how the practice carries out its obligations under the legislation The Practice Manager is responsible for monitoring compliance within their service area and taking any necessary corrective action.
4.4 The Practice Board monitors, oversees, reports and makesrecommendations on all strategic level FOI issues.
4.5 The Data Protection Officer provides advice and guidance on FOI issues, and should be consulted if there is any uncertainty as to how to handle a request. The DPO is also responsible for dealing directly with the Information Commissioners Office and assist them as necessary in investigating a complaint made against the practice, with the assistance of the Practice Manager.
4.6 The Practice Manager is responsible for overseeing the handling of the request. The Practice Manager is responsible and accountable for the information that is or is not provided. If in anydoubt as to whether information should be disclosed or not then the Practice Manager should consult the DPO, who may advise that an external legal opinion is needed. The Practice Manager may also be called upon to undertake a review if requested by an applicant.
5. Training and Awareness
5.1 It is mandatory that all practice staff (including temporary or casual workers) undertake the E-Learning module covering FOI. New entrants will be expected to undertake and successfully complete the module within 5 working days of joining the practice. Established staff will be expected to undertake and complete refresher training as directed.
5.2 Practice Managers should encourage and make time for their staff to attend any further FOI training or awareness opportunities that may arise.
6. Requests for information
6.1 Different type of Information requests
6.1.1 Not all requests for information are necessarily handled under FOIA / EIR legislation. For instance, requests for personal information, belonging to the applicant themselves, is governed by access rights available under the data protection law. Also, where information is requested which is of a more routine nature (see examples below) these can be handled as a business-as-usual request and consequently dealt with under the practice’s procedures for dealing with requests for information. Requests for information that may fall within the scope of a business-as-usual request may include but is not limited to the following examples:
- Requests for practice leaflets, brochures, or other publications practice opening times, contact details.
- Routine information regarding practice services (e.g. clinics, immunisations)
- Any other type of information requests that are routinely handled and delivered over the phone.
6.1.2 If in any doubt as to whether the request should be handled under FOIA or “business as usual” it is recommended that you treat under the former to reduce the risk of non-compliance with FOIA.
6.2 Methods of making a request under FOIA
6.2.1 All requests must be made in writing.
6.2.2 However, the legislation does not oblige the requestor to submit the request on-line and the request is acceptable by post by email or fax. The clock (public bodies have 20 working days to respond), will start as soon as the request arrives in the practice (and not necessarily from the day the responsible officer receives or reads it). This is why it is essential that there is no delay in handling the request and that it is directed to the Practice Manager as soon as possible. By doing this there is a reduced risk that the request is missed or delayed.
6.2.3 Although requests under FOIA cannot be made verbally the legislation permits environmental information made under EIR to be made in this manner either over the phone or in person. However, wherever possible the applicant should be encouraged to make the request in writing.
6.2.4 A common issue is persons confusing the FOI regulations with the Data Protection Regulations e.g. “I want to make an FOI request for my patient record”. We need to respond to the FOI request even if it is clearly invalid because it is the personal data of the applicant. A template response to these is given at 0
7. Handling Requests
7.1 Time limit for responding to a request.
7.1.1 Although the practice has 20 working days to comply with a request, the practice is expected to respond to the request as quickly as is reasonably possible, given the resources available and the complexity of the request. In any event the time limit allowed should be seen as an absolute maximum, rather than a target for responding and resources will need to be managed accordingly to ensure that the statutory limit is not breached.
7.1.2 It should be noted that in cases where additional information is sought from the applicant to help locate the information requested, or if a charge notice has been issued (in the event that the charging policy applies), the waiting period is not counted towards the 20 days allowed.
7.1.3 Where a request is transferred from another practice to the practice (e.g. another practice) as it was identified that the practice held part, or all of the information requested, the first day of the statutory period will be the first working day after the practice receives the transferred request.
7.2 Contentious or novel requests
7.2.1 As a public body the practice has a statutory duty to comply with the Freedom of Information Act and, when responding to a request, provide any information that is held subject to any exemptions that may apply.
7.2.2 If a contentious or novel request, which may be the subject of media interest, is received it should be referred immediately to the DPO so that they are aware. The responsibility for dealing with the request remains with the practice. The DPO will engage the PCN/CCG/ICS as required.
7.2.3 To assist in determining what should be referred to the DPO please see Appendix 1 for guidance. If in doubt about referring, please seek the advice from the Practice Manager.
7.2.4 If a request subsequently undergoes an appeal, the Practice Manager should be notified and have sight of the appeal response before despatch to the applicant for comment.
7.2.5 When referring a draft response to the Practice Manager please allow up to 2 working daysturnaround time. This will need to be taken into account in meeting the statutory 20 day limit
7.3 Information required from the Applicant
7.3.1 Information requests are motive blind, meaning that the requestor should not be challenged as to the reason for why the information is being asked. The only relevant factors are whether we hold information and whether circumstances exist why the information may not be disclosed (i.e. a statutory exemption is engaged).
7.3.2 The practice is only obliged to comply with a request if an applicant makes a request in writing (although request for environmental information under EIR can be made verbally)and provides the following:
a) A description of the information so that it can be located. If there is any doubt about what information is being requested the applicant should be asked to clarify their request as soon as possible. Practice Manager should not presume or anticipate what the applicant is requesting.
b) A means by which a response can be communicated to the requestor such as a postal or email address
c) The applicant’s name. If the applicant only provides the name of an organisation this is also acceptable. There are occasions where applicants may use fictitious or assumed names. If it is suspected that this is the case officers should use their discretion. The real name of an applicant is only usually relevant if for instance personal information is being sought and the identity of the requestor is necessary to ascertain whether they are the data subject or a third party. The true identity of an individual is also necessary if the applicant is using a pseudonym to either circumvent the appropriate limit or because the applicant has previously been issued with a vexatious refusal notice. If in doubt legal advice should be sought.
7.4 Appropriate Limit
7.4.1 Where complying with a request would exceed the “appropriate limit”, which is set at £450 (or 18 hours) The Practice should advise the applicant that the cost limit applies and provide guidance to the applicant on modifying the request so that the request can be dealt with within the limit.
7.4.2 If the Practice refuses to comply with the request (as permitted under Section 12 FOIA 2000) because the appropriate limit will be breached, then a note should be made of how the estimate was arrived at. This is so if the refusal is subsequently challenged, there is evidence at hand than an estimate was undertaken and shows that compliance with the request would breach the limit.
7.4.3 The estimate is no more than a rough calculation of the time likely to be taken to comply with the request
Example
Where to comply with a request requires one or more practice staff members to search through 80 separate files or records which on average would take approximately 15 minutes to review each one. Therefore, the total time required to collect the information would be 80 x 15 = 20 hours, which exceeds the appropriate limit of 18 hours. Note that the time for redaction cannot generally be taken into account.
In this situation before invoking section 12 and refusing the information request, the Practice Manager would be expected to have first engaged with the applicant to explore if at least some information can be provided within the limit.
7.5 Disbursements
7.5.1 Under FOIA the practice is permitted to make reasonable charge for photocopying, printing and postage costs or disbursements. A charging policy is available on our website on how the practice applies these charges.
7.5.2 It should be noted that only the costs of materials can be included in disbursements costs and cannot include staff time
7.6 Third Party Consultation
7.6.1 Some requests under FOIA may require practice staff to consult with third parties (e.g.partner agencies and contractors) to consider whether any exemptions apply.
7.6.2 A refusal to consent to the disclosure by a third party is not determinative in whether information is disclosed or otherwise, but such opinion should be considered alongside other relevant factors to make this assessment. The final decision on whether or not to disclose rests solely with the practice.
7.6.3 The practice will only accept information from third parties in confidence, if it is necessary to obtain that information in connection with an exercise of any of the functions and it would not otherwise be provided. The practice will not agree to hold information received from third parties "in confidence" which it believes does not have the necessary quality of confidence.
7.6.4 Potential and existing contractors must be made aware of practice obligations with regards to FOIA and EIR and that all information held by the practice may be disclosable subject to any relevant exemption that applies.
7.7 Transferring Requests
7.7.1 A request can only be transferred to another public body where the practice receives a request for information which it does not hold itself. There may be occasion that the practice holds only part of the information in which case the practice should respond to that part of the request for which it holds information and transfer the remaining part of the request to the other public body for it to respond separately.
7.7.2 Before transferring a request, the practice must ensure that the identified public body does indeed hold the information that has been requested. Furthermore, the applicant should be contacted as soon as possible to advise that the practice does not hold the information and to seek consent to transferring the request to the public body holding the information. Alternatively, the applicant should be advised to contact the public body holding the information directly.
7.7.3 Where information is held on practice’s behalf by a third party (e.g. a contractor), this is captured by FOIA and the practice should respond as if it physically held the information.
7.8 Right of Appeal
7.8.1 In circumstances where information is being withheld in part or completely, a refusal notice must be issued to the applicant which must include references to the right of appeal. Although there is no legal requirement to refer to this right of appeal if supplying all the information as requested, it is good practice to do so.
7.9 Review Process
7.9.1 A formal review process must be carried out by the practice if requested by the applicant. This may happen where the applicant is unsatisfied about any aspect of how their request was handled (including exceeding the 20 day time limit). Although there is no set time stated for when the review must be completed, the Practice Manager should aim to complete the appeal and respond to the applicant within 20 working days of receiving the written appeal request. If the applicant is still unhappy they may apply to the Information Commissioner to review their case. Full details of the review procedure can be found at Appendix 3 attached
8. Disposal and Destruction of information
8.1 FOIA only applies to information that a practice holds. Where information is earmarked for disposal, as it is no longer required, there is nothing preventing schools from carrying out these routine records management responsibilities.
8.2 It is illegal under the section 77 of FOIA to wilfully destroy or alter any original documents in order to avoid releasing information. It is important to note that it is the individual that is responsible rather than the public body and carries a fine of up to £5000. Any person found guilty of such an offence will almost certainly face internal disciplinary proceedings and possible dismissal.
8.3 Please also see section 11 below which relates to the retention schedule for FOIA related documents.
9. Publication Scheme
9.1 FOIA requires all public bodies to have a publication scheme. The practice has chosen to adopt the Information Commissioner’s Model Publication Scheme. The scheme:
- sets out the types of information we must routinely publish;
- explains the way we must provide the information;
- states what charges can be sought for providing information; and
- commits the practice to providing and maintaining a guide to the information it provides, how it is provided and any charges where they apply.
9.2 The publication scheme facilitates the pro-active release of information and the practice encourages as much information as possible to be released in this way and not just to information prescribed within the publication scheme.
9.3 If new information is published please notify the Practice Manager so that the information can be added to the list that records information within the practice.
10. Retention Periods for FOIA related documents
The retention schedule is given in the Health and Social Care Records Management Code of Practice
11. Requests To and from Other NHS Bodies
11.1 The legislation allows any person or organisation to make a freedom of information request including other NHS bodies. In practice this access regime is not commonly used between NHS bodies. In a spirit of co-operation these will normally use less formal avenues to obtain information from each other.
11.2 Therefore, the Practice Manager should avoid wherever possible using the freedom of information access regime to procure information from other organisations and instead use a less formal route in the first instance.
11.3 Similarly, should practice staff receive a request from another public body they may wish to contact the requesting organisation to seek agreement for their request to be handled less formally, perhaps as a practice business as usual request. However, the requesting body’s agreement is necessary. Unless they do withdraw their freedom of information request it must be handled under the freedom of information regime.
12. Datasets
12.1 The FOIA gives users the right to access data sets for reuse, once the practice has decided that no exemptions or other provisions (e.g. costs, vexatious) in the legislation apply.
12.2 Further information on the obligations including what the legislation defines as a dataset can be found in the Information Commissioner guidance on Datasets.
Appendix 1
Categories of requests where you should consult the DPO
The following illustrate examples of requests that should be referred to the DPO
- Requests relating to practice expenditure which is not already published.
- Requests regarding any legal prosecution with practice involvement past, present or future.
- Requests relating to deceased persons where the requester does not have a claim on the estate.
- Requests relating to services provided by the NHS, CCG/ICS
- Requests relating to workforce pay, sickness absence or personal details.
This list is not exhaustive.
Appendix 2
Re-use of practice information and copyright
Unless otherwise stated, the practice owns the copyright in all material on their website and any information contained in responses to request for information made under Freedom of Information or Environmental Information Regulations.
Subject to the following conditions, the practice has no objection to organisations reusing its copyright-protected materials (the 'Materials') and reproducing them in their own publications, or on their internal computer networks. Organisations using the practice’s materials must adhere to the following criteria:
- Any publication or internal network which incorporates the practice Materials must include an acknowledgement of the source of such materials.
- The Material must be clearly separated from any comment made on it by the organisation or others.
- Readers of the Material must not be given the impression that the practice is responsible for, or has in any way approved, the publication or network in which his Materials are reproduced.
- The Materials may not be altered or amended unless such material is clearly marked as altered or amended by the organisation or others.
- No fee may be charged by any organisation reproducing the practice’s Materials in respect of reproducing Materials.
- When reproducing the practice’s Materials, organisations must have regard to any qualifying statements or descriptions attached to the Materials, (for example, descriptions such as 'consultation document', are important as are statements concerning the audience at which the Material is directed). If the Material is reproduced in full, or substantial extracts are reproduced, any qualifying statements attached to the Material must be included.
- There is no charge for the reproduction of Materials made in accordance with these conditions.
The Re-use of Public Sector Information Regulations 2005 provided a framework for deciding issues relating to the re-use of information held by public bodies. Subject to the conditions set out above, the practice has no objection to organisations reproducing the Materials made available
Where an organisation wishes to re-use the practice’s Materials, but the proposed re-use would contravene any of the conditions set out above, the organisation should contact the Practice Manager to determine whether the proposed re-use would be permitted and what, of any, additional conditions may apply. The application should be in writing, specifying name and address of the applicant, identifying the documents to be re-used and the purpose for re-use. If an individual or organisation is unhappy with the manner in which an application for the reproduction or the re-use of the practice’s Materials has been handled by the practice, a complaint should be made in writing to the practice.
Appendix 3
Internal Review Procedure
This process relates to the FOIA Internal Review Procedure.
- In all cases where a Freedom of Information (FOI) response is made to a request received, the response must contain the following statement, or words to a similar effect: “If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. If so, you should email or write to me to ask for an internal review to be carried out. The review will be carried out by a senior manager within the practice or the Data Protection Officer as appropriate, who will advise you directly of the outcome of the review. If you are still dissatisfied, you may ask the Information Commissioner's Office to consider your complaint. Internal review requests should be submitted within two months of the date of receipt of the response to your original request and should be addressed to the responding person.If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.”
- On receipt of a request for a review of the response, the original responding person (RP), should consider the detail of the review and re-evaluate the basis of the response as appropriate. In doing so, the RP may wish to take advice from the legal.
- If the RP, on reflection considers that the request for the review is reasonable and that further disclosure is merited, they should respond accordingly.
- If after deliberation the RP does not consider the grounds of the appeal to be reasonable, they should arrange for the SIRO to undertake a review. The RP should pass the SIRO all the relevant correspondence (e.g. the request for information, the response and any other communications relating to the request) as well as the disputed information.
- The applicant should be given an estimate as soon as possible after the request for an appeal has been received, of the time the review is likely to take. The SIRO should aim to complete their review and respond within 20 working days. Where there is delay in the review the applicant should be informed and advised of the revised response time
- The RP may, if they feel it appropriate, request that the review response is considered by the Data Protection Officer prior to being sent out.
- Once the RP has completed the review they should respond as appropriate. If the appeal is upheld then a disclosure of the disputed information should be given to the applicant. However if the appeal is only partially upheld or if the original decision is maintained then a full explanation as possible should be provided to the applicant and any additional disclosure as appropriate.
- If the review relates to a procedural matter and it was shown that the practice did not follow its procedures an apology should be offered to the applicant. Steps should also be taken to ensure that the occurrence is not repeated.
- Full details of all steps taken must be recorded (e.g. the reasoning and logic behind the response, the steps taken to review, etc.) in lieu of any appeal to the Information Commissioner’s Office.
- All requests for a review of a data protection issue, whether made by an individual or the Information Commissioner’s Office, should be passed to the practice’s Data Protection Officer.
Appendix 4
Response to FOI request for personal data
Dear <patient>
Thank you for your request on <date>
The response to your Freedom of Information Act 2000 request is that the data requested is exempt under Section 40(1) – personal information of the applicant. The request is therefore refused.
We believe that you may have wished to make a request under Article 15 of the UK GDPR for access to your data. If this was what you wanted, please reply to us stating this, and we will process that request.
We apologise for the formality of this process, but the law requires us to formally answer all Freedom of Information Act requests within 20 working days.
Yours
<etc>
Providing NHS Services
The Caversham Group Practice
4 Peckwater Street
London
NW5 2UP
Telephone: 020 7428 5700