NHS England & Customer Contact Centre FOI Introduction 2013

Agenda Overview of the Freedom of Information Act (FOIA) Exemptions Guidance Writing a refusal notice Internal Process NHS | FOI Introductory Training | March 20132

Goals of the day Gain a broad understanding of the FOIA Understand NHS England internal process of handling an FOI request Be able to write a refusal notice Have a broad understanding of the exemptions used under the FOIA. 3

The FOI Act was introduced in 2000 and enforced in It was introduced to increase openness and transparency of public authorities; Routinely publish information to the public – publication scheme. The Information Commissioner’s Office (ICO) assist in regulating the FOI Act;Information Commissioner’s Office Including complaints regarding an authority’s handling of a request(s). In addition to the legislation itself the Secretary of State has used the powers in sections 45 and 46 of the FOIA to issue two Codes of Practice – which set out good practice for public authorities. Section 45 deals with a good practice to follow in relation to receiving a request to a third party Section 46 deals with records management. FOI Introduction 4

FOI coverage The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act There are also Environmental Information Regulation (EIR) 2004 whose handling falls similarly to those under the FOIA. This training will focus on FOI primarily however, you are provided with further information regarding the main differences between the FOIA and EIR. 5

An FOI request can be for any recorded information held by a public authority; This includes information shared with you by another organisation; The requester themselves does not have to inform you why they want the information. Key Principles 6

Must be in writing; post, or fax. Must be for recorded information Must have the person’s name and contact Must be responded to within 20 working days The request does not need to be formally labelled but often individuals will title their communication with ‘FOI’ or reference this in the request. Cannot be a request for personal information; An organisation is recommended to publish a ‘publication scheme’ to allow the organisation to regulate information to the public domain. Defining an FOI request 7

Under the FOI Act: When a public authority receives a request made under the FOI Act then it must either: provide the information to the requester; write back to the requester to inform them that the information is not held; refuse to confirm or deny whether information is held; or confirm that information is held but refuse to provide it. 8

Any questions so far? 9

Further Information Exemptions Guidance Internal Process Refusal Notice 10

Internal Process We have step by step process on how to handle an FOI request. This involves; 1) Request received to our first line team who record the information and triage to the second line team. 2) The FOI team acknowledges the request (scripted and completed within 2 working days) 3) The FOI is reviewed and commissioned to the team(s) responsible. 4) Communications will be sighted on the requests, for information and to provide (where appropriate) assistance with the request. 5) Follow up and review dates during the investigation 6) Final quality assurance processes, approval and issue, close down. 11

Any questions? 12

Information Governance (IG) IG is an important consideration to NHS organisations, and employees in all aspects of their work. IG ensures necessary safeguards for, and appropriate use of, patient and personal information. Health and Social Care Information Centre (HSCIC) holds various information and training materials regarding IG. Due to the need to protect and maintain personal data a Caldicott Guardian has been a requirement of all NHS organisations that have access to patient records;Caldicott Guardian Organisations must also have a Senior Information and Risk Officer (SIRO) who is responsible for maintaining and protecting information held by the organisation. The Caldicott Guardian and SIRO will often liaise regarding risk or incidents and data to be released which may comprise of patient data. For further information regarding these roles please see the HSCIC website.HSCIC website. 13

IT Security NHS organisations hold a vast array of information relating to individuals and this must be protected and maintained. The Department of Health have produced a code of practice for information security managementcode of practice In relation to FOI and their responses, steps needs to be taken to minimise the risk of information being inadvertently shared in the public domain. National Archives has produced a ‘redaction toolkit’ 14

What have you learnt? 15 1.What does FOIA mean? 2.How long does a public authority have when responding to an FOI request? 3.When can an extension to the deadline of an FOI request be used?

Any final questions? 16

Thank you 17