The ICO exists to empower you through information.

ICO comment: what this case study means

This case study shows the benefits of improving organisational culture around FOI, having designated staff to handle requests and formalising your approach to handling information requests. It also highlights the importance of training.

NHS Blood and Transplant (NHSBT) carried out a complete review of its processes. A designated, trained team now handle FOI requests, and can use approved escalation routes. They make better use of existing software to track cases and meet deadlines.

The success of this approach depended on support and buy-in at senior leadership level.


Staff at NHSBT became aware that the Trust was not handling FOI requests consistently well. A team was handling requests as part of a wider customer service function. Despite some support from information governance and external affairs, there were no designated FOI roles or responsibilities. Staff provided input to the best of their abilities, but they were under-resourced and lacked experience, knowledge and expertise. They noted that request-handling “sat alongside an already high BAU workload… rather than being seen, understood and recognised by the organisation as a formal regulatory activity”.

Staff did not use standardised letter templates and had no method of tracking requests or recording statistics. Consequently, the quality of responses varied. They did not always apply exemptions and the public interest test consistently or correctly. Staff realised that some complaints to the ICO resulted from a lack of understanding: they lacked awareness of relevant exemptions and what information was captured by FOIA.

The team had no log of relevant internal stakeholders and no standardised escalation routes in place. Consequently, when information was requested, the team could not advise or consult with relevant business areas effectively, which affected their understanding of what information the Trust held. They encountered “blockers” to receiving information. The lack of any formal engagement with FOI from senior management executives meant that the Trust sometimes missed deadlines.


The Trust carried out staff training, right up to board level. This ensured FOI was a key business priority linked to reputation and regulatory compliance. The training highlighted that the FOI process requires input from all staff to be efficient and effective. The training resulted in senior buy-in, and the information governance team then carried out a review.

As an interim measure, NHSBT adopted a triage and escalation process for FOI requests, which established key points of accountability and responsibility. They also established a robust escalation route. This improved compliance with statutory deadlines.

NHSBT then established a data security, privacy and records management team “to formally own the FOI process”. The new team included more staff and escalation routes to appropriately-trained senior management executives.

The new team established the following tools and processes:

  1. Defined staff roles for specific steps of the process, with roles being matched to level of experience and knowledge.
  2. Ongoing training for the wider organisation, including senior staff.
  3. Better relationships with key areas of the organisation, including those which provide information.
  4. Ongoing development of KPIs to track compliance, improvements and challenges.
  5. A dedicated FOI mailbox on the website for use by the public.
  6. A standardised set of templates, tailored for FOI exemptions and public interest tests.
  7. Tracking and managing responses and timelines through Microsoft SharePoint and Dynamics, including generating reminder emails for staff.

NHSBT wishes to continue to drive improvements. They commissioned an audit of their FOI and SAR processes in April 2023, resulting in further recommendations. They intend to act on these between now and December 2023.


A positive impact has been achieved in these areas:

A good organisational culture around FOIA

There is improved organisational awareness and understanding of FOI responsibilities, and improved communication. The team’s training in FOI allows them to speak directly and appropriately to staff about providing information for consideration in a timely manner. Established escalation routes have reduced “blockers” and senior buy-in allows the team to escalate requests, if necessary, “right up to board level”.

Quality of responses

Responses to requests are of a higher quality. The team feel confident they are complying with FOIA and that their responses are more consistent, particularly around the use of exemptions and the public interest test. Since putting in place this new process, there have been no complaints to the ICO with regards to FOI requests as at June 2023.

Organisational efficiency

Having a designated team and sign-off process for handling FOI requests has freed up customer services staff to focus on other queries.

Extended benefits

NHSBT has mirrored its new approach to FOI to handling SARs. They consider that this has been equally successful. Using templates from the new FOI approach, staff are also looking to improve their processes in incident management and investigating data breaches.

The wider FOI community has also recognised NHSBT’s work. The organisation was nominated for FOI Practitioner of the Year at the eCase FOI awards 2023.