Freedom of information requests procedure
A step-by-step guide to the freedom of information process and what you must do if you receive one.
Freedom of information requests procedure
Last reviewed: November 2019
- Why do we need this procedure?
- So, what's the procedure?
- Related policies, procedures and information sources
Why do we need this procedure?
The FOIA provides access to information held by public authorities, such as Social Work England. Members of the public are entitled to request information from Social Work England and we must respond promptly to these requests.
So, what’s the procedure?
The FOIA entitles anyone to request information from us. We normally have a maximum of 20 working days to respond to these requests, with day 1 being the first working day after the request is received.
In some cases, we can take up to an additional 20 working days to respond where necessary to consider the balance of the public interest. This applies:
- in certain cases where we are considering withholding the information, or
- where we are considering the public interest in confirming or denying whether the information is held.
We will follow Information Commissioner’s Office guidelines and follow a formal procedure for responding to requests where:
- we cannot provide the requested information straight away, or
- the requestor makes it clear that they expect a response under the FOIA.
Requests that can be dealt with immediately
Where the information can be provided straightaway by the team that received the request, that team should follow their usual procedure for responding. Examples include requests for information:
- Already published on our website
- Included within our published public registers
- Contained within published board papers
The FOIA states that all Freedom of Information (FOI) requests must be made in writing. Our website will advise the public to send FOI requests to the normal contact email address, [email protected].
We expect that the majority of requests will be received through this channel. However, all employees should be aware that requests could be received by other means, including in emails received directly by departments or individuals, in the post or through social media.
Requests that are received through the normal contact email address will be logged by the registration team on the tracking sheet, assigned a reference number and forwarded to the business area that the registration team believes will be best placed to provide the requested information.
The information requests inbox, [email protected], must be copied in. The email should include the reference number in the subject line. All subsequent emails regarding the request should include the reference number in the subject line, and the information requests inbox should be copied in. This will allow the data protection and information manager to keep an audit trail of how the request was handled.
Where the registration team member is unable to identify the business area that would be able to respond to the request, he / she will forward the request to the information requests inbox with an explanation that he / she was unable to identify the correct business area to respond to it.
The data protection and information manager will then determine the next steps to be taken. Any employee who receives an FOI request through any other method should make the data protection and information manager aware immediately so that the request can be logged and managed through the usual procedure outlined below.
In the event of a request being received by post, the letter should be scanned and emailed to the information requests inbox. Once the document has been checked to ensure that it is complete and legible, it should be disposed of in confidential waste.
The data protection and information manager will monitor the information requests inbox daily to ensure any requests received in it are reviewed quickly.
Determining a response
Within 2 working days of receiving the request, the business area must inform the data protection and information manager whether it is the correct business area to provide a response. The data protection and information manager will identify another business area to provide a response if required.
Once the correct business area to provide a response has been identified, that business area will be responsible for determining whether the information is held and if so, whether the data can be provided. It must do so within 10 working days of receiving the request. The business area will inform and take advice from the communications team, external parties and the executive leadership team as it deems necessary.
The data protection and information manager will provide guidance and input as required by the business area. The business area’s response will be placed into a formal draft response letter by the data protection and information manager. This response letter will be approved by the head of the business area as well as the head of data protection and information governance.
The approved response will be sent to the registration team, who will then send the response to the requestor and record that it has been sent.
Further information needed
Where further information is required from the requestor before the business area is able to determine if the requested information is held, the ICO requires this to be done as soon as is possible. We will work to a deadline of responding by the seventh working day after the request being received in order to comply with this.
The business area should inform the data protection and information manager that further information is required within 5 working days of receiving the request itself. Where the above deadlines cannot be met, for example due to a delay in the relevant business area receiving the request, the relevant business area must provide a response as a matter of urgency.
Exemptions under FOIA are categorised as absolute and qualified. Absolute exemptions apply if the information meets the criteria for that exemption. Examples of absolute exemptions include:
- Section 21 -Information that is reasonably accessible by other means
- Section 23 -Information supplied by, or relating to, bodies dealing with security matters
Qualified exemptions must meet the criteria of the exemption, but also require a public interest test to be completed. The public interest test is a document with a series of questions, the answers to which allow us to determine if the public interest lies in disclosing or withholding the information.
Qualified exemptions are also further divided into 2 subcategories, class-based and prejudice-based. For class-based exemptions, the public interest test is sufficient. Examples of class based exemptions include:
- Section 22 -Information intended for future publication
- Section 30 –Investigations and proceedings
For prejudice based exemptions a prejudice test is required. The prejudice test is a document with a series of question which allow the us to determine if disclosing the requested information would cause prejudice to the interest that the exemption protects. Examples of prejudice-based exemptions include:
- Section 31 –Law enforcement
- Section 38 –Health and Safety
Public interest and prejudice tests will be completed by the business area applying the exemption, with assistance from the data protection and information manager as required.
Exemptions from the duty to confirm/deny or disclose
As a public authority, our starting point should always be to seek to facilitate appropriate access to information requested under the FOIA. This is so that, among other things, the public can hold us to account for our activities. However, facilitating appropriate access does not mean that information should necessarily be disclosed.
In some cases, it may be more harmful to do so. We may refuse to disclose information entirely or in part, because we have balanced it against other factors.
In some cases it will be necessary to send attachments as part of the response. All attachments should be in PDF or CSV format, as these file formats carry the lowest risk of unintentionally disclosing more information than is intended.
Converting files to these formats will be the responsibility of the business area. If the business area considers it necessary for the information to be sent in a different file format then this will be considered on a case-by-case basis.
If the requestor is not satisfied with the way in which we have handled his / her request he / she is entitled to request a review. If the requestor asks for a review, this will be logged by the registration team and sent to the information requests inbox.
The review will be conducted by the head of data protection and information governance, who will email the business area who provided the response, providing advice, and ask them to confirm whether they still believe that the original response was correct or if they would like to amend it.
Once a response to the review has been agreed, the head of data protection and information governance will draft a formal response letter which will be approved by the head of the business area. The response letter will be emailed to the registration team, who will send it to the requestor and record on the tracking sheet that it has been sent.
Related policies, procedures and information sources
If you have a query about this procedure, please contact Greg Lawton, head of data protection and information governance.
Last reviewed: November 2019
Procedure owner: Phil Hallam, executive director – registration and quality assurance
Procedure reference: PRO_FOI_01
If you require a PDF version of this policy, please contact us.