You can learn from case studies on how organisations recovered their own compliance with statutory FOIA and EIR timescales, including new ways of working and proactive disclosure of information. We will continue to develop further case studies.
Improvements after ICO enforcement action
ICO comment: what this case study means
This case study demonstrates how targeted action by the ICO can help organisations turn things around and improve the rate of on-time responses to FOI requests. It also highlights the benefits of improving organisational-wide training around handling FOI requests, designating FOI points of contact within business areas and having an escalation point of contact to increase accountability.
The ICO‘s Regulatory Action Policy sets out how we intend to make the best use of our powers. It outlines the circumstances in which we will take regulatory action. In line with our regulatory powers under the Freedom of Information Act 2000, we took action against an organisation in 2023.
Through our casework data, we identified that the organisation had a consistently late response rate to FOI requests.
The organisation also had a history of poor engagement with the ICO. It had ignored enquiries from case officers. ICO lawyers had to intervene before it complied with decision notices requiring it to respond to requests.
The action we took
We issued a practice recommendation to the organisation in 2023, recommending the following steps:
- Devise an action plan with appropriate processes put in place to ensure it achieves 90% timeliness.
- Use our FOI self-assessment toolkit to support and sustain its recovery plan.
- Publish compliance statistics in accordance with the section 45 Code of Practice and make these easily accessible on its website.
- Set up clear escalation procedures when staff do not meet internal deadlines in the request handling process.
- Information rights training should ensure that adequate coverage is in place if key staff members leave the organisation.
- Respond in a timely and constructive manner to enquiries from case officers.
Since we took action, the organisation has achieved a positive impact in these areas:
Improvement in the rate of on-time responses
Performance data provided by the organisation showed evidence of a sustained improvement in the rate of on-time responses. A total of 269 FOI requests, received over a four month period, were responded to within 20 working days.
Efficient management of FOI inbox
Five staff now have access to the FOI email inbox so requests are picked up more quickly. The inbox has also been organised into sub-folders for better management of responses.
Publication of performance statistics
The organisation now publishes the number of FOI requests it receives each month, and how many it responded to within 20 working days. This data, published in accordance with the section 45 Code of Practice, is updated quarterly.
Dedicated FOI contact and escalation point
Each department now has a dedicated point of contact to facilitate FOI responses. The organisation has updated its request handling procedures. They now include a provision for escalating requests likely to exceed the response deadline to the Head of Service or a Director. Recording the action taken as a result of the escalation, and how staff communicate this to the requester, are also part of the updated procedures.
Mandatory FOI training
All staff must take a mandatory FOI e-learning module. The organisation has also produced a training guide for customer service centre staff handling FOI administration. It is also going to recruit a deputy data protection officer with an FOI remit to provide technical expertise and resilience.
Improved engagement with the ICO
The ICO’s FOI casework team has reported a significant improvement in their engagement with the organisation. The organisation has created a separate folder to manage ICO correspondence, which is monitored and prioritised by the customer services manager.
London Borough of Camden: Building a compliance culture, streamlining case handling processes
Earlier this year, we published a case study on Camden’s approach to business as usual (BAU) responses. We wanted to look at their other processes in more detail after we reviewed their submissions for the eCase FOI awards 2022, which we helped to judge. Camden won FOI Team of the year at the awards. Sarah Laws, the council’s FOI and EIR Lead and Data Protection Manager, won the FOI Practitioner of the Year award.
ICO comment: what this case study means
This case study shows the benefits of deliberately developing a culture of compliance. Organisations can streamline their case handling processes with customer service and amenability in mind. This creates results that benefit both requesters and the public authority. For example, organisations can create frequently asked questions (FAQs) for hot topics. They can provide training and guidance to colleagues in a flexible, reactive way.
Streamlined request handling
Camden has a centralised FOI team of four information rights officers (IROs). They liaise with contacts across the business to locate and retrieve information. The IROs draft all responses and discuss potential exemptions with relevant departments.
Keen to improve request handling processes, Camden contacted a sample of requesters. They called companies, journalists and members of the general public. The feedback they gathered was that their acknowledgments, clarification requests and responses were too complex and contained unclear legalese. The council were also not explaining exemptions clearly enough.
The consensus was that Camden’s communications were heavy on law and process and light on customer care.
Following this feedback, Camden rewrote their templates to cut out direct citations from the Freedom of Information Act and simplified words and phrases.
Additionally, they decided to take a more amenable approach with requesters. They engaged with requesters more often and earlier in the request process. For example, if people asked vague questions, the council guided them to a better approach. They also suggested that the requester call them to discuss the type of information the council holds and how best to access it.
Building a culture of compliance
Camden understood the positives of transparency. However, senior staff needed to let more junior members of staff know that FOI was part of the day job. They also needed to ensure the Council was meeting deadlines.
This work began with the FOI team having discussions with services about where they had difficulties, and what support they needed for better FOI compliance. They took a supportive, rather than critical, approach. Instead of discussing specific late cases, they thanked colleagues for the Council’s better performance. They also began to push the view that the Council could achieve 100% compliance as part of business as usual.
Proactive disclosure work helped them to make the cultural change. Camden started publishing datasets and services could see the number of FOIs reduce. Following this, staff became positive advocates for greater transparency as they could see the benefits it brought them, in terms of time saved overall.
The cultural change was a combination of:
- senior managers having a positive approach to transparency;
- ambitions for Camden to perform to a very high standard; and
- a particularly keen senior advocate in the Borough Solicitor.
The Council looks for areas with a sudden increase in requests, or topics attracting local press coverage. Once identified, the team produces FAQs on the subject.
Although Camden publish their FOI responses, it’s better for requesters if they are linked to a FAQ rather than multiple previous FOI responses. Additionally, the council can update their FAQs as and when they disclose more information.
Anyone can propose potential subjects for FAQs. If an issue has not passed the threshold of demand to justify creating an FAQ, the team keeps a watching brief on the matter. There are no set criteria for hot topics – the approach is agile and responsive.
So far, the FAQs have been downloaded over 1,500 times.
Training and guidance
FOI training at Camden is flexible and tailored to suit different areas. For example, they offer short, headline training sessions for busy senior staff. It is delivered live, which the team considers crucial to its effectiveness.
When services within Camden are struggling to meet their responsibilities, or where there has been a restructure or a management change, the FOI team offers a training session.
The training sessions are practical and informal, encouraging compliance with internal deadlines and being open and transparent as a default. The training does not attempt to explain complex exemptions. Instead, it focusses on identifying and communicating potential harm or prejudice caused by disclosure. The FOI team has found that when services try and apply exemptions themselves, they struggle with the technicalities. However, they are much better equipped to identify and explain potential harm or prejudice. The FOI team feel that this also leads to fuller, more transparent disclosures.
Networking with local schools
Camden’s FOI team support some local schools when they receive information requests.
A small amount of the schools they support receive a lot of FOI requests. Their business managers have become upskilled through the support offered by Camden. They now send draft responses which Camden can review.
Other schools receive a small number of requests – perhaps two or three a year, usually round-robin requests which have also gone to many other schools. For this cohort of schools, Camden has worked to increase their awareness of FOI and how to identify requests. This allows schools to request advice from Camden promptly and so issue quicker responses.
London Borough of Camden: Business as usual responses
This case study shows one of the benefits of proactive disclosure of information. It’s quicker to direct someone to publicly-available information than it is to provide an individual copy of that information every time someone asks for it. The case study also shows that informal, business as usual (BAU) responses can be a quick and effective way of dealing with information requests. Organisations just need to ensure it does not result in any lowering of standards in the time taken to issue the response or in the quality or amount of information provided.
The London Borough of Camden takes a forward-thinking approach to issuing responses to requests as “business as usual.”
Camden issue prompt replies without the formality of a full FOI response when:
- they can direct the requester to publicly-available information; or
- when information is readily available and disclosable and it appears that a BAU response would satisfy the requester.
They do this even when a requester specifically cites that they are making their request under the Freedom of Information Act (FOIA).
Camden’s BAU responses begin:
“Thank you for your request. We are dealing with this as a routine request rather than formally as a Freedom of Information Act request so we can provide you with a faster and less formal response…”
and close with:
“…this doesn’t remove or affect your rights under the Freedom of Information Act. So if you’re unhappy with this reply for any reason please let us know. We will then have a look formally under the Act and send you a formal reply within 20 working days of your original email.”
Camden’s starting point for handling BAU responses is to check their previous FOI responses via their Open Data Portal. They then check other records available through the portal. If they have not already proactively disclosed the requested information, the staff handling requests liaise with relevant departments to check if the information is readily available and if they can provide it as BAU.
This approach allows Camden to issue straightforward responses to sometimes complex requests for information. Camden is satisfied that, by doing this, they are in line with ICO’s guidance, which states that:
“The Information Commissioner’s Office (ICO) recognises that some public authorities may initially respond to questions informally, but we will expect you to consider your obligations under the Act as soon as it becomes clear that the applicant is dissatisfied with this approach.”
ICO guidance also states:
"In many cases requests may be dealt with in the normal course of business provided this does not result in lower standards (eg disclosing less information, or taking longer to deal with the request)."
BAU responses now make up a significant amount of Camden’s annual FOI traffic.
For the last two full financial years, Camden has received over 1800 requests, and has closed nearly 30% of them as BAU.
Camden’s informed estimate is that a typical BAU response takes 10 minutes. If they issued those requests with full FOI formal responses, Camden estimate that they would take around 30 minutes. This means that they save around 20 minutes per BAU response.
Issuing 500 BAU responses – as Camden did in 2020/21 – saved 160 hours, which is nearly five working weeks. This frees up time for staff to concentrate on other FOI requests.
Requesters benefit from a very fast reply. Most requesters get a response within three working days, and a significant amount receive it the same working day.
Of course, it is very important that if people wish to have their request handled under FOI, Camden respect their rights. They must issue a response within the statutory time frame, dated from the initial receipt of the request.
Only two requesters have asked that Camden treat their BAU response as a formal FOI response instead. Camden have received no complaints from requesters about their approach to BAU disclosure, and instead receive regular praise for their fast replies.
Camden’s approach to BAU works well because they have invested in proactive disclosure. When public authorities make information readily available to the public, it becomes quicker and easier to handle information requests.
Reducing our information requests backlog – an ICO case study
This case study shows that when a backlog of requests builds up, and compliance rates fall, public authorities should consider making changes to their usual processes to improve the focus and efficiency of their request handling. The case study sets out how the ICO adapted and developed our own request handling processes to recover compliance. Increasing the amount of staff working on request handling is not possible for every public authority but this case study also shows the impact of using additional staff where this is possible, as was the case here.
As the Covid-19 pandemic progressed, the ICO built up a backlog of Freedom of Information (FOI) requests and subject access requests. Our timeliness compliance rate was also falling.
By adopting some new ways of working, creating a late cases project team, and using resources from across the organisation, we cleared our late cases and increased our timeliness compliance rate to 99%.
The ICO has around 1000 staff. We have received more than 2,000 information requests a year for the last 3 years. An average of 1230 per year were FOI requests. We only receive a very small amount of EIR requests.
Further detail on the types of requests we receive is available in our annual reports.
Requests are handled by our Information Access (IA) team. IA work closely with other ICO departments to locate records and make decisions about what information can be disclosed.
Before the Covid-19 pandemic, a backlog of information requests had started to build up. The impact of the pandemic resulted in a growing number of overdue cases and a falling compliance rate.
By September 2021 we had over 90 late cases. Our FOI and EIR timeliness compliance rate had dropped to 74%.
We aimed to clear all late cases and reach 92% timeliness compliance by 30 June 2022.
To achieve this, we introduced new processes and created a late cases project team to clear the backlog, with some overtime also dedicated to late cases for the rest of the team.
We were able to allocate resources, by seconding colleagues from across the ICO to work on incoming cases for 3 months. We were also able to call on the expertise of former IA team members to help mentor those secondees. The secondees attended the IA team’s standard twice-weekly “Request Queries” sessions, where the team can collaborate on the requests they’re handling and share best practice.
As well as those steps, we have been fortunate to be able to expand the IA team by approximately 50% from before the pandemic.
We recognise that not every public authority will find it possible to allocate more resource in the way that we did. However, seeing how we deployed staff and adopted new ways of working which did not require more staff should be helpful for other public authorities.
New processes included:
- producing weekly reports to identify overdue requests and those due within a fortnight – helping us identify cases where the officer managing the request might require support;
- introducing a tiering system to assess the likely complexity of a request, allowing us to allocate them to appropriate team members (3 tiers, tier 1 being most straightforward and tier 3 complex/time consuming);
- introducing a queue cap to limit the number of open requests a team member could work on at any one time (maximum of 15 requests for a fulltime team member; requests are counted as “open” while the handler waits for clarification, internal consultation responses, etc);
- establishing clear routes for escalating delayed internal consultation response on requests to senior management;
- increasing understanding of IA’s work across the ICO; and
- cooperating with the Communications team and other departments to identify planned activity likely to prompt information requests.
Initially compliance rates continued to drop, but the age profile of our caseload started to improve. We were closing difficult and significantly late requests in our backlog, but some of our newer cases were being issued late. After we reduced the backlog we started to see positive effects on our overall compliance rates.
This approach enabled us to return to 92% timeliness compliance and clear all our late cases by the end of June 2022.
Performance has continued to improve, and our timeliness compliance rate had risen to 99% by the end of July 2022.
We are also satisfied that by seconding colleagues in on a temporary basis, and supporting them well, we provided development opportunities for those staff.
“I’m very proud of the hard work of the team. Over the period of the recovery plan, they came together to really drive excellent performance and to return us to the service levels our customers rightly expect. The collaborative approach taken by the colleagues who joined us during this time, and the mentors who supported them, really made a huge difference. It was a great example of teams working flexibly to focus on an area of priority.”
- Louise Byers, Director of Corporate Planning, Risk and Governance.
“The support from colleagues in Information Access was excellent and made it possible for me to manage my own team while at the same time helping with the backlog of requests. I was able to discuss complex or novel cases with them to check that my advice was appropriate.”
- Iman El Mehdawy, Information Management and Compliance Group Manager, and mentor for IA secondees.
“We can become stuck in functional silos, and this was a great opportunity to learn what another area of the ICO does and how they work. What really impressed me was how everybody supported each other. In Information Access they have this session twice a week called ‘Request Queries’ where you can bring any issue relating to a case for group discussion. It’s amazing how much you can learn from being part of this.”
- Roxanne Stephen, IA secondee.
North Lincolnshire: Using templates for correspondence
North Lincolnshire Council won the Initiative of the Year award at the eCase FOI awards 2023. They were also nominated in both the Team of the Year and Practitioner of the Year categories. The ICO helped to judge the awards. We’re keen to share examples of practice that other public authorities can learn from, so we’re publishing this case study.
ICO comment: what this case study means
This case study shows some of the benefits of using templates for correspondence when handling information requests. In this case, the council use a case-management system which generates pre-populated templates. It makes it quicker to issue a response and ensures consistency between responses. It also improves the speed and consistency of internal communications with other areas of the organisation. It can ensure that refusal notices comply with the requirements of FOIA and the EIR. However, organisations must still consider each request on its own merits. They must ensure there is no lowering of standards in the quality of responses.
The council had limited resources to handle their caseload of information requests. They wished to improve several aspects of their request-handling, including:
- tracking requests; and
- the quality of responses.
Their compliance with the statutory timeframe before April 2021 was below where it needed to be. During case-handling, they had to generate correspondence from scratch and manually insert details of the requester, any reference number and details of the request. The content of responses varied. For example, staff sometimes used different wording to explain specific exemptions. The ICO received few complaints during this period. However, the council found it time-consuming to respond to these complaints, because they had not necessarily named their documents consistently nor stored them in a central location.
The council implemented a case-management system from April 2021 which included the functionality to generate templates for correspondence.
The templates, which include template emails, are pre-populated with the requester’s details, the date of the request and the case reference number. This makes it quicker to deal with the case and reduces the risk of errors from manual copying. The templates use consistent wording when referring to exemptions and exceptions, based on key terms and standard lines that the council maintain and review regularly. The system names documents in a consistent way, meaning staff can easily locate and identify the necessary documents.
Using the case-management system saved time by generating templates for internal and external correspondence on cases. Staff need to take fewer manual steps to draft correspondence and make fewer amendments.
The council have had fewer complaints made to the ICO about their timeliness.
The council’s responses are more consistent, and the quality has improved.
The council can now track their request-handling more easily.
Staff find it easier to locate documents, both during a case and if they are needed subsequently.
Overall, the system allows staff to work more efficiently, which helps to address the problem posed by limited resources.
Leicester City Council: Logging requests, prompt clarification and promotion of awareness
Leicester City Council were nominated in both the Team of the Year and Practitioner of the Year categories at the eCase FOI awards 2023. The ICO helped to judge the awards. We’re keen to share examples of practice that other public authorities can learn from, so we’re publishing this case study.
ICO comment: what this case study means
Having a streamlined central logging system for information requests can save you time at the very start of the FOI process. This may include having procedures in place for logging requests immediately and seeking clarification quickly. Regular training and raising awareness with staff can ensure they know how to log requests. This embeds the process and a transparency culture so that you can deal with requests efficiently, from the point of receipt through to issuing the response.
Leicester City Council received 907 FOI requests in 2021, and 1007 in 2022. Two full-time information governance officers and 1.5 full time equivalent information governance assistants deal with FOI requests.
Leicester City Council runs a hub and spoke model for managing FOI requests. This consists of a centralised, expert information governance team that logs and monitors FOI requests, alongside the service areas that own the information and can answer the requests. The system needs both parties to understand and comply with the process and aim to meet the timescales required, including the statutory deadline of 20 working days. The system involves:
- logging and clarifying requests (under the duty to advise and assist), within 24 hours on a central FOI case management system;
- sending the request to the relevant service area within 24 hours for a response;
- receiving the response back from the service area within 10 working days; and
- chasing and escalating to directors, if necessary, any requests not returned within 10 working days.
The staff in information governance have an in-depth knowledge of the council and its services. Therefore, they know who to send the request to without undue delay. They have established relationships with service areas and built up a reputation of being efficient and helpful.
A template request email issued to the service area gives a very clear date for response. The email explains what to do if the team do not hold the information, or if they need further clarification. The email also advises on what to do if they require any help identifying possible exemptions. Service areas know that the FOI team will chase them if their returns are late.
The FOI team copy in directors, so they are fully aware of all FOI requests in their area. The team use systems to monitor and authorise the requests, including any that may be sensitive or generate press coverage. Senior management buy-in is important and they receive performance reports for their service areas.
In addition, there is formal training available to all staff, as well as informal regular awareness raising of recognising requests for information and complying with the FOI processes.
The team runs regular training and awareness sessions for staff, both in person and remotely. They also developed an in-house, online training module.
Staff place regular reminders in the weekly e-newsletter in order to promote FOI awareness within the council.
The council’s head of information governance, Lynn Wyeth, says:
“Embedding the processes into the behaviour of the organisation is key… FOI is the day job too and is everyone’s responsibility in an open and transparent public authority and democracy.”
Having a centrally managed system, with an efficient and speedy initial process, gives service areas much more time to retrieve and collate the information. It also gives the council space to consider exemptions.
The council can answer many requests quickly and easily on the day they arrive. Staff are in the habit of responding to them as soon as they can.
The council has well-trained staff who are authorised to chase for information and senior managers who take their responsibility seriously. This, along with the central system, means Leicester City Council answered 99% requests on time in 2021 and 98% of requests on time in 2022.
The council asks requesters if they would like to complete a satisfaction survey and consistently receive positive feedback. A couple of examples are:
“I wrote to 24 local authorities…the data I received from Leicester City Council was far and away the fullest and best organised of all. Thank you so much.”
“Very straightforward process, and very grateful for the detailed and explicit response.”
Wye Valley NHS Trust: Triaging requests, effective guidance for staff and using templates
The Trust was nominated for the Rising Star award at the eCase FOI awards 2023. The ICO helped to judge the awards. We’re keen to share examples of practice that other public authorities can learn from, so we’re publishing this case study.
ICO comment: what this case study means
A well-designed triage system and resources like templates can speed up request handling. Making sure senior staff are informed keeps them engaged and can pre-empt problems and identify opportunities. Step-by-step guides can also assist colleagues in developing a general understanding of FOIA requirements. In general, good FOI practice requires a strong network of informed staff working across an organisation.
Triage and request handling
For the 2022/23 financial year, the Trust received 622 FOI requests and a single EIR request.
For the purposes of handling FOI requests, Wye Valley splits the trust into divisions. The majority of divisions have established a point of contact. They either answer questions directly or can refer the request to relevant staff within the division. The level of seniority of staff in the network varies across areas, but it is usually managers that send across information to the team.
Central request handling staff regularly check and challenge responses provided to ensure that they are accurate. They also check that staff are applying exemptions correctly.
Staff report compliance figures to the Trust’s monthly information governance committee. They also provide these figures to heads of divisions. This allows the Trust to:
- recognise any problems in good time;
- identify trends in requests; and
- consider opportunities to address patterns of requests by proactively disclosing datasets.
When the team receives a new request, they create an email folder. Any emails sent or received about the request go into that folder.
A logbook tracks open requests. This is a simple spreadsheet that tracks deadlines – not only the deadline for issuing a final response, but also internal deadlines about the request’s handling. For example, when someone refers a request to another team, that team works to a 10 working day deadline. The logbook also tracks which other team or department is dealing with the request, the date of most recent correspondence and its current status.
The Trust also holds a contact log spreadsheet, detailing which division or person to get in touch with to answer certain types of requests.
Managers have regular access to the logbook stats, to consistently inform them of the Trust’s FOI position. The Trust plans to start proactively publishing the logbook’s compliance figures.
Due to the volume of requests the Trust receives, they have decided that this method suits their needs. They do not need to spend money on a casework system that outstrips their level of demand.
Guidance, templates and training
The Trust has two sets of guidance. One is for team members who formally process FOI requests, and one is for general staff who answer questions about requests and provide information which falls under the scope of a request.
The guidance for team members takes the form of an FOI process manual. The manual goes through the process of handling a request step by step. It highlights information sources the Trust holds that are useful for request handlers, like their log of past responses.
They have templates for various common responses, which staff can adapt to suit the response. They have a generic S.12, S.21, S.22 and S.40 (ii) template. This speeds up the process of replying, but also sets out the expected structure of a request. This prompts staff to gather and outline the relevant information required to set out the reasoning behind applying an exemption.
The manual includes checklists that explain what information a case handler needs to hand in order to apply an exemption. They have a specific checklist for the application of S.43.
For staff who are not handling requests day-to-day, the Trust has a step-by-step poster. It explains the difference between an FOI request and a subject access request. It also explains which members of staff people should pass requests to, if they receive one. Additionally, the Trust has a general FOI FAQ on their intranet.
In 2022, Wye Valley NHS Trust had a compliance rate of 71%.
As of March 2023, following the introduction of their new triage system, they were at 95%.
Liverpool University Hospitals NHS Foundation Trust: Building a compliance culture, setting internal deadlines and EIR upskilling
The Trust was nominated for the Team of the Year award at the eCase FOI awards 2023. The ICO helped to judge the awards. We’re keen to share examples of practice that other public authorities can learn from, so we’re publishing this case study.
ICO comment: what this case study means
This case study shows that good FOI practice requires an overall culture of compliance, with a strong network of informed staff. Setting internal deadlines for the different stages of your request handling process can help ensure timely responses. Some organisations receive significantly fewer environmental information requests than FOI requests. However, you may experience a peak in interest in environmental issues, which requires you to quickly increase and consolidate your knowledge of EIR.
The Trust was formed by the merger of two pre-existing Trusts in October 2019. Since then, the Corporate Information Compliance (CIC) team have handled requests received on behalf of four hospitals.
The Trust employs circa 13,000 staff. There are five staff on the CIC team. The team is also responsible for providing data protection officer support, and other duties.
Building a compliance culture
To promote FOI awareness within the Trust, the CIC team has developed collaborative relationships with other departments. For example, they have daily engagement with HR, finance, IT, business intelligence and the Trust’s communications team.
Staff in senior management roles are usually identified as a point of contact for their area. The CIC team work with departments to pick the most appropriate point of contact. This decision is also influenced through the CIC team’s general experience of working with their colleagues over and above their FOI work. CIC staff work hard to develop and maintain strong working relationships with other teams. This puts them in the position to know the best person to ask about requests.
When new colleagues join a team that routinely deal with FOI requests, the CIC team suggest presenting an FOI workshop. This is designed to help new colleagues understand the Trust’s process in dealing with requests.
The Trust’s communications team flag any enquiries through the media, on social media or public enquiries which they consider “hot topics.” This allows the team to do some initial thinking about how they will gather information likely to fall under the scope of requests. They also consider any sensitivities around disclosing the information that requests will likely ask for.
Request handling approach
When the Trust receives a request, it is distributed to the relevant team or department and to the hospital leadership team for oversight. Any member of staff can handle a request, depending on who holds the requested data.
Some departments have a dedicated shared inbox for FOI requests. This allows staff within the department to access and respond to requests, or further delegate it if appropriate.
For example, CIC might pass a HR-related request to a workforce analyst via a shared inbox. The workforce analyst may then pass on the request to the relevant lead, for example a temporary staffing manager.
Area leads dedicate time to FOI responses and routinely provide a response within the internal deadline, set at seven working days from receipt.
The CIC team chase up requests if they do not receive a response from the department five or six days after sending. They check to ensure the request is sat with the relevant team or if the team needs any further assistance. If needed, the CIC team can give extensions to 10 working days.
Once the relevant team collates a response, it goes through a sign off process, which is as follows:
- Officer collates the response and applies any applicable or relevant exemptions, based on the response from the department.
- Officer sends the response to the senior officer for an initial review.
- The response is sent to the deputy director of operations.
- Once the deputy director approves the response, it is sent to the director of operations, who is part of the hospital leadership team.
The CIC team identified that when senior staff needed to consider sensitivities around disclosing information, they did not always have enough time to do so. This caused delays in issuing responses. The team then adapted their request handling process and their internal deadlines. Now, there is an expectation that senior staff complete any necessary review of a response by day 15 of 20.
In 2022/23, the Trust saw heightened public interest in the construction of the New Royal Liverpool University Hospital Building. The collapse of Carillion affected the construction project.
The Trust received a high volume of requests regarding the cost of works, contracts in place, ongoing legal action and other information about the hospital’s construction.
As the Trust received internal review requests, and then ICO decision notices about the requests, they recognised an opportunity to consolidate their learning. The team committed to reviewing ICO guidance to develop a stronger skillset to handle future EIR requests. Handling this influx of requests required the CIC team to:
- strengthen their knowledge of EIR legislation;
- learn when to apply EIR rather than FOI; and
- understand how to identify suitable exceptions to information when it was relevant.
The Trust’s approach to FOI and EIR compliance has allowed them to maintain consistently high compliance rates.
|775 (FOI: 759, EIR: 16)
NHS Blood and Transplant: senior level support, a designated team and clear processes
This case study shows the benefits of improving organisational culture around FOI, having designated staff to handle requests and formalising your approach to handling information requests. It also highlights the importance of training.
NHS Blood and Transplant (NHSBT) carried out a complete review of its processes. A designated, trained team now handle FOI requests, and can use approved escalation routes. They make better use of existing software to track cases and meet deadlines.
The success of this approach depended on support and buy-in at senior leadership level.
Staff at NHSBT became aware that the Trust was not handling FOI requests consistently well. A team was handling requests as part of a wider customer service function. Despite some support from information governance and external affairs, there were no designated FOI roles or responsibilities. Staff provided input to the best of their abilities, but they were under-resourced and lacked experience, knowledge and expertise. They noted that request-handling “sat alongside an already high BAU workload… rather than being seen, understood and recognised by the organisation as a formal regulatory activity”.
Staff did not use standardised letter templates and had no method of tracking requests or recording statistics. Consequently, the quality of responses varied. They did not always apply exemptions and the public interest test consistently or correctly. Staff realised that some complaints to the ICO resulted from a lack of understanding: they lacked awareness of relevant exemptions and what information was captured by FOIA.
The team had no log of relevant internal stakeholders and no standardised escalation routes in place. Consequently, when information was requested, the team could not advise or consult with relevant business areas effectively, which affected their understanding of what information the Trust held. They encountered “blockers” to receiving information. The lack of any formal engagement with FOI from senior management executives meant that the Trust sometimes missed deadlines.
The Trust carried out staff training, right up to board level. This ensured FOI was a key business priority linked to reputation and regulatory compliance. The training highlighted that the FOI process requires input from all staff to be efficient and effective. The training resulted in senior buy-in, and the information governance team then carried out a review.
As an interim measure, NHSBT adopted a triage and escalation process for FOI requests, which established key points of accountability and responsibility. They also established a robust escalation route. This improved compliance with statutory deadlines.
NHSBT then established a data security, privacy and records management team “to formally own the FOI process”. The new team included more staff and escalation routes to appropriately-trained senior management executives.
The new team established the following tools and processes:
- Defined staff roles for specific steps of the process, with roles being matched to level of experience and knowledge.
- Ongoing training for the wider organisation, including senior staff.
- Better relationships with key areas of the organisation, including those which provide information.
- Ongoing development of KPIs to track compliance, improvements and challenges.
- A dedicated FOI mailbox on the website for use by the public.
- A standardised set of templates, tailored for FOI exemptions and public interest tests.
- Tracking and managing responses and timelines through Microsoft SharePoint and Dynamics, including generating reminder emails for staff.
NHSBT wishes to continue to drive improvements. They commissioned an audit of their FOI and SAR processes in April 2023, resulting in further recommendations. They intend to act on these between now and December 2023.
A positive impact has been achieved in these areas:
A good organisational culture around FOIA
There is improved organisational awareness and understanding of FOI responsibilities, and improved communication. The team’s training in FOI allows them to speak directly and appropriately to staff about providing information for consideration in a timely manner. Established escalation routes have reduced “blockers” and senior buy-in allows the team to escalate requests, if necessary, “right up to board level”.
Quality of responses
Responses to requests are of a higher quality. The team feel confident they are complying with FOIA and that their responses are more consistent, particularly around the use of exemptions and the public interest test. Since putting in place this new process, there have been no complaints to the ICO with regards to FOI requests as at June 2023.
Having a designated team and sign-off process for handling FOI requests has freed up customer services staff to focus on other queries.
NHSBT has mirrored its new approach to FOI to handling SARs. They consider that this has been equally successful. Using templates from the new FOI approach, staff are also looking to improve their processes in incident management and investigating data breaches.
The wider FOI community has also recognised NHSBT’s work. The organisation was nominated for FOI Practitioner of the Year at the eCase FOI awards 2023.
Norfolk & Suffolk NHS Foundation Trust: senior leadership support and redesigned processes to increase level of accountability
ICO comment: what this case study means
This case study demonstrates how support from senior leaders can help tackle delays in responding to requests. This includes requests which require a high level of sign-off before a response can be issued. It also highlights the benefits of streamlining processes, formalising procedures, and clarifying roles and responsibilities to increase the level of accountability for FOI. We recommend reading this case study along with our short guide on internal consultations.
There had been an increase in the volume of requests being issued after FOI deadlines. The Trust escalated this to their Audit and Risk Committee, and the Committee requested action at executive director level. The Trust shared an overview of request themes and trends with the Committee, highlighting business areas where there were frequent delays in providing data to the Information Rights Team (IRT).
Staff identified that senior colleagues lacked awareness of FOI requests until sign-off stage. This caused delays in responding to requests within statutory FOI deadlines. A lack of accountability by senior managers was a further issue causing delays. Nominated FOI representatives (FOI Reps) usually provided the requested information in relevant business areas. They were quite often junior staff. However, when queries arose about the quality of the information provided, there was often no clear escalation point or senior manager identified. In addition, when requests were escalated, these were usually reviewed by multiple senior managers or executive directors who had no prior involvement with, or knowledge of, the request.
To improve the Trust’s performance, they needed:
- a better way of tracking a request allocated to business areas; and
- awareness of the request and responsibility for signing off the response, including overall accountability.
The Trust redesigned their FOI process in the following ways:
- The IRT used data on themes, trends and response times to produce weekly reports for the executive directors.
- They provided data in a more streamlined manner across business areas and considered whether a type of data needed further validation and checks.
- They introduced a four-stage approach to handling requests (allocation, awareness, validation and approval) to make the FOI process more joined-up at all levels.
- They introduced a standardised procedure for recording requests, establishing consistent phrases and key words.
- They reviewed and updated their internal and external email templates, to make these clear and concise for both staff and requesters.
- They introduced a deadline of 12 days for relevant business areas to provide them with data.
- They updated and reviewed the FOI Reps’ list, to include contact points for each business area or topic, and to increase awareness of requests. They also included the wider service area, in order to identify the relevant executive director from the outset.
- All executive directors were then given the option to approve the response once the IRT received the data. This enabled the directors to provide support to staff, including senior leaders, from the outset, rather than at the end of the process.
- Finally, the Trust introduced weekly and monthly calls with key FOI Reps to ensure they addressed any queries in a timely manner.
The Trust has achieved a positive impact in the following areas.
A good organisational culture around FOI
Executive directors now actively engage with the IRT. They feel more confident approving FOI responses, since they’re aware of the request from the point it was allocated to their service area.
Sign-off and weekly reporting enabled the Chief Executive to understand the types of information the public was seeking from the Trust. This level of engagement has gradually improved the response rate to requests. The Trust has also prioritised and cleared its backlog.
Increase in the level of accountability for FOI
The reduction in performance against FOI deadlines enabled the IRT to re-engage not only with the FOI Reps but also with senior management. Highlighting the challenges that staff were facing in locating and collating information has led to greater accountability, at all levels, for responding to FOI requests in a timely manner.
Quality of responses and efficiency
The quality of FOI responses has also improved. There are fewer queries at the point of drafting a response, as these are picked up and worked through with support from managers and, where necessary, the executive director.
When a request is complex, the Trust can act quickly to ensure the FOI Rep is supported and any information is validated before it’s sent to the IRT.
The Trust is now looking at sourcing a software product to assist in recording better FOI data. They hope to use the data to support proactive publication. They’re also exploring how best to publish all FOI responses.
The wider FOI community has also recognised the Trust’s work. The Information Rights Manager at the Trust was nominated for FOI Practitioner of the Year at the eCase FOI awards 2023.
Office of the Secretary of State for Wales and the Northern Ireland Office: sharing FOI services and using Excel to track requests
We contacted the Office of the Secretary of State for Wales after the publication of the Freedom of Information statistics for central government bodies in 2022. Although they receive a relatively low volume of requests, we were interested to see how they maintain a high level of compliance.
ICO comment: What this case study means
Smaller public authorities with strong working relationships with other bodies might consider collaborating to meet their FOI obligations. Information and skill sharing can work in various different ways. It doesn’t need to be as formal as the “shared service” described below. While some public authorities need specific casework platforms, others will only need Excel or another simple spreadsheet program. Internal deadlines are highly recommended for managing requests. Templates are a good way to save time and control the quality of output.
The Office of the Secretary of State for Wales (OSSW) utilises a shared service to manage information requests. The service is provided by the Northern Ireland Office (NIO).
Requests made to OSSW are automatically forwarded to the NIO's FOI inbox. NIO log the request, send an acknowledgement and assign the request to the relevant OSSW team. NIO provides response templates which detail commonly-used exemptions.
Tracking requests in Excel
Cases are tracked via Excel. Request are assigned a specific reference number to help track communications. NIO maintains case folders in which all material about a request is filed.
The Excel case log tracks received dates for each request, internal deadlines and final deadlines. It also notes overdue or late cases or where the team have applied legitimate PIT extensions.
When assigning requests to the relevant OSSW team, NIO asks for them to provide cleared responses to meet an internal deadline of 15 working days. If that deadline is not met, they issue reminders until the response is provided. Setting internal 15 working day deadlines is a useful practice which NIO/OSSW would recommend to other public authorities.
Ofgem: case management system and assigning request handling to relevant colleagues
We contacted this public authority after the publication of the Freedom of Information statistics for central government bodies in 2022. They receive a relatively high volume of requests and we were interested to see how they maintained a high level of compliance.
ICO comment: what this case study means
It’s important to have the right tools for managing requests – in this instance, a case management system. It’s also important to have the right processes. Confirm a list of named contacts across your organisation to ensure efficient communication and clear accountability. Target training so staff receive the appropriate level according to their role. Talking openly about the ways you’re working smarter and more efficiently can boost the profile of information rights compliance within your organisation.
Using a case management system
Ofgem’s FOI requests are sent to the Information Rights team inbox. They are triaged into three categories, either:
- a valid request;
- a BAU request; or
- case correspondence.
Staff log valid requests on Ofgem’s case management system. Ofgem has found that using software specifically designed for handling information requests increases efficiency and reduces human error.
The team aims to log and acknowledge requests within two working days. The casework system allows Ofgem to:
- link similar cases, or other requests from the same requester;
- identify the best area or team within Ofgem to deal with the request; and
- tag requests with key terms.
Assigning requests across the organisation
The team assigns cases to the relevant team or person who has responsibility for locating and gathering the requested information. The Information Rights team encourage their colleagues to review requests as soon as possible. This is so they can move quickly if necessary to reassign the request to a different team or to ask the requester for clarification. Staff log any internal communications about requests against the case in the casework system.
The team maintains a list which details specific points of contact (SPOCs) who are either individual staff members or team inboxes. The list also details back-up contacts and the relevant senior manager for each team or subject area in Ofgem.
Staff drafting responses work to an internal deadline of 15 working days from the date they received the request. This gives the Information Rights team five working days to review the responses and make necessary amendments.
Ofgem has found that this balance of deadlines works best for the type of request they receive. Many of the requests are complex or are about Ofgem’s regulatory duties. Staff often have to apply exemptions to the information.
The Information Rights team follow up with colleagues who have failed to respond within the 15 working day limit. If the deadline is missed repeatedly, the team escalate the matter to senior managers.
The Information Rights team have received training from an external FOI expert and have undertaken formal FOI qualifications. Members of the SPOC list have received bespoke training relevant to their role. Ofgem recorded this training and it is available for new staff or staff wanting a refresher.
The creation of the SPOC list, and delivery of bespoke training for the members of the list, has led to an improvement in Ofgem’s general compliance culture. Training and structured involvement in the FOI process helps to demystify FOI and EIR, and gain buy-in.
Ofgem’s recommendations for other public authorities
- Hold regular process improvement meetings within your Information Rights team to discuss recurring issues and ways to solve them.
- Keep a backlog of potential improvements which team members can work on when they have capacity.
- Communicate improvements and process changes to senior management and across the organisation more widely, to develop visibility and awareness of your work across the organisation.
The Office for National Statistics: developing and using a casework system in-house
The Office for National Statistics (ONS) is the executive office of the UK Statistics Authority (UKSA). We contacted them after the publication of the Freedom of Information statistics for central government bodies in 2022. They receive a relatively high volume of requests and we were interested to see how they maintain a high level of compliance.
ICO comment: what this case study means
If your organisation has the technical resources, you could develop your own database solution to handle your information request workload. Transparency and visibility are important. Keep senior staff engaged in the detail of compliance and share accountability within the organisation. If your workload increases, consider whether changing your processes will help. When UKSA experienced a steep increase in requests in 2021, they amended internal deadlines to give their team an extra three working days. This helped UKSA maintain timeliness despite an increasing caseload.
Casework management through PowerApps
UKSA manage requests through PowerApps (Microsoft). It operates using a workflow system. It logs requests, allowing UKSA to assign them to the relevant business areas and sends an automatic acknowledgement to the requester. Staff can download outcome and exemption data from the application and analysed to produce quarterly and annual statistics.
The application calculates an internal deadline of 14 working days for the business areas to return FOIs to the FOI team. This allows the team six days to check that responses are compliant and provide advice on any necessary amendments. They track compliance with this internal deadline and chase to avoid any late responses.
Assigning responsibility for requests
Each request is usually assigned to the deputy director (DD) responsible for the topic of the FOI request. Under each DD there is a delegate, who is the person responsible for overseeing FOIs in that area of UKSA.
UKSA’s casework system sends an automated notification to the DD, their assistant and the delegate. This informs them that a request has arrived and prompts them to assign an Action Officer (AO).
The AO collates a response, in collaboration with other relevant colleagues and business areas. The DD is notified when the response is ready for review. They then sign off or reject the response.
All UKSA staff are informed how to identify an FOI request through annual training sessions. Business areas receive additional training.
Numerous members of the team have FOI qualifications from external training organisations. They attend regular external training courses to keep up to date with developments in the FOI space (such as ICO decision notices and case law updates). New starters on the team are given an informal two-week training programme with a qualified FOI practitioner to go over the basics of FOI law and all the relevant exemptions. This is supplemented with ICO materials.
Reporting to leadership
FOI figures and trends are reported to the senior leadership team. The FOI team handle data protection requests and also oversee the ONS complaints function. They also work very closely with the Parliamentary team, who are responsible for official correspondence and Parliamentary questions. Grouping these functions under one team provides oversight of the topics and information the public are interested in, as well as building a detailed understanding of emerging issues or trends. This helps the organisation improve processes, systems, transparency and responsiveness.
UKSA’s recommendations for other public authorities
UKSA recommend that other organisations are ambitious with creating supportive technological structures to assist with compliance. They also recommend implementing combined responsibility for FOI requests, with ultimate responsibility for the response lying with the business areas.