This informal CPD article, ‘Why understanding information requests matters‘, was provided by Becky Hall, Information Governance Manager at Naomi Korn Associates, a UK-based leader specialising in copyright, data protection and licensing.
An individual can request to see information held by an organisation for any number of reasons – and they don’t have to give a reason why. Making sure that replies are received in a timely manner, and within the timeframe set out in law, is an important requirement for organisations.
Organisations should have a clear process for handling requests. The process should outline everything, from the person responsible for acknowledging the request, through to key contacts for certain areas within the organisation. This prevents information requests from being seen as a complicated task to approach as they have been properly considered and appropriate measures put in place.
There are several avenues for requesting and accessing information.
Accessing their own personal data: Data Subject Access Request (Data Protection)
Under data protection law, individuals have rights in relation to data held about them. Usually, they should receive a response from the organisation within one calendar month of their request being received.
Accessing public sector organisational information: Freedom of Information Act (FOIA) and Environmental Information Regulations (EIR)
Individuals also have the right to request official information from public bodies Under the Freedom of Information Act (FOIA) and Environmental Information Regulations (EIR). In these instances, the deadline is 20 working days to generate a response. If FOI applies to your organisation, it worthwhile reviewing your publication scheme on a regular basis. This will ensure that it still links to current information and that this information is updated as necessary.
Managing information requests
Not all of the requested information must be provided because it’s been requested. Knowing when information can be withheld and the reasoning behind it is a key part of responding to information requests. It is important to remember that even if a request looks similar to a previous request from someone else that each request is unique and should be considered as such.
Under data protection law there are a variety of exemptions that can apply in certain situations but these need to be carefully considered and not applied routinely to requests that look similar. In a data subject access request, redacting personal information of a third party is a common way of withholding information.
FOIA also has exemptions in relation to withholding data, some of these are absolute whilst others have to be considered in light of the public interest test. For example, information already reasonably accessible is an absolute exemption whilst information intended for future publication is subject to the public interest test. Whilst under EIR these are referred to as exceptions they work in a similar way to FOIA exemptions with some of them requiring a public interest test before the exception can be applied.
There are also circumstances in which organisations can not comply with a request, for example, if it is excessive or vexatious. Again, the decision not to reply to a request needs to be carefully considered and if the decision is taken not to respond it should not impact how any future requests from the individual are dealt with. Just because one request they submitted was excessive it doesn’t mean that all requests that follow will be too.
It is also important to consider the way in which the organisation communicates with those who submit an information request. Where possible, language and style should be aimed at the individual to make sure that they fully understand the process and the response. After all, most people who request data don’t work with FOI, EIR, or data protection law daily and the use of excessive legal phrasing can be off-putting. In the same way, the process for submitting an information request should be clear, easy to access, and not collecting excessive information to help encourage people to exercise their rights.
Ensuring that an organisation has skilled members of staff to deal with information requests not only supports the organisation in complying with its legal requirements but helps ensure that the information request process is as accessible for the individual as possible. As individuals may submit an information request for any number of reasons, including when they are upset or angry as a result of actions taken by an organisation, ensuring that the handling of the request is as seamless as possible can help maintain a good relationship with the individual. Repeated poor handling of requests may result in complaints being shared with the Information Commissioner’s Office and potential investigation depending on the scale.
Ensuring those employees who are responsible for handling requests under Data Protection law, Freedom of Information or Environmental Information Regulations have adequate training and knowledge is essential to ensure organisational compliance but also to ensure a professional service to your customers, clients and other requestors.
We hope this article was helpful. For more information from Naomi Korn Associates, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.