Validating and managing requests for access

Ways to meet our expectations:

• Verify the identity of the requestor and the address to send the information to, and keep records of the verification checks.
• Verify that third parties making requests on behalf of people have written authority or power of attorney to make the request.
• Ensure staff are aware why verification checks are important.
• Sample or check that staff carry out verification checks appropriately on completed requests.
• Document verification checks and how to carry them out  in sufficient detail in policies.

Options to consider:

• Document clear step-by-step instructions or a process flow chart for verifying the validity of requests.
• Document clearly how to handle requests from a parent on behalf of their child.
• Document when it isn’t proportionate to ask for identity documentation or evidence (eg when requests are from staff members or known people).
• Record what identity documentation or evidence is valid so that staff can refer to it.
• Include a section on request forms to show people what evidence to provide with their request.

Ways to meet our expectations:

• Keep a log of all verbal and written requests.
• Log who handled each request.
• Log what stage each request is at.
• Log the due date for a response to each request within the statutory timeframe, the actual date you responded to each request, and the reason for any delays, where you didn’t meet the statutory timeframe.
• Log where information was withheld under exemption or related to third parties, and why this decision was made and by who.
• Log requests that were refused entirely or handled following a different process, and why this decision was made and by who.

Options to consider:

• Use a spreadsheet or database to automatically calculate key dates.
• Mark log fields as ‘mandatory’ to ensure information is captured and there are no gaps.
• Include the log in your retention schedule to ensure you only retain the information for as long as necessary.

Ways to meet our expectations:

• Acknowledge each request by confirming receipt electronically or in writing and inform the requestor of the latest date they will receive a response by. This will be no later than one month from the date you received their request.
• Seek clarification promptly when the nature of the request is unclear or the request doesn’t contain enough information to respond.
• Inform the requestor if you need to extend the response timeframe for their request. Only extend it by a further two months due to the volume or complexity of the request.
• Inform the requestor if their request is delayed, why it is delayed, and the expected date they will receive a response by.
• Prioritise or escalate requests that are delayed.
• Ensure managers monitor requests in progress, including what stage each request is at and any issues or delays, to meet timescales.
• Escalate details of requests that staff have not responded to within the statutory timeframe to a suitably senior manager or oversight group.

Options to consider:

• Produce clear template text to use in letters or emails for each access request.
• Include template text as appendices in your request for access policy, so staff can find it quickly and update it when you review the policy.

Ways to meet our expectations:

• Keep records to show that you have responded to requests for access and actioned them within the statutory timeframe.
• Keep records of mitigating factors and actions taken for any requests for access that you didn’t respond to or action within the statutory timeframe.

Options to consider:

• Use a spreadsheet or database to automatically calculate key dates.
• Plan to respond to non-complex requests in a shorter period (eg two weeks) so you have extra time if there are delays or issues.