Freedom of Information Policy
Code of Practice for Responding
to Requests for Information
Reference Number Version
Status
Executive Lead(s)
Author(s)
41
7.0
Current
SIRO, Caldicott Guardian
Peter Wilson
Approval Body
Information Governance Committee (IGC)
Date Approved
30/05/22
Ratified by
Trust Executive Group (TEG)
Date Ratified
16/06/22
Date Issued
29/07/19
Review Date
30/05/25
Contact for Review Name and Job Title: Michael Maginnis, Head of Information Governance / Data
Protection Officer, Flordeliza Broughton, Assistant IG Manager.
Code of Practice for Responding to Requests for Information
Associated Documentation
Trust Controlled Documents 18.
Internet Acceptable Use Policy.
26.
Information Governance Policy.
27.
Data Protection Policy.
29.
Information Security Policy.
69.
Password Policy.
197.
Information Risk Management Policy.
200.
Network Security Policy.
259.
Information Asset Policy.
260.
IG Management Framework.
387.
NHS.Net E-mail Policy.
Trust Codes of Practice
36.
Staff Code of Conduct.
68.
Agreement for the Acceptable Use of Trust Computing Systems.
70.
Code of Practice in the use of Passwords.
71.
Trust Code of Practice for storing and managing information on network and local computer drives.
165.
Mandated Procedures for the Transfer of Personal Confidential Data (PCD) and other Sensitive or
Confidential Information.
201.
Code of Practice in the Use of Trust Issued USB Sticks.
388.
Trust Code of Practice in the use of NHS.Net E-mail.
Procedures
335.
Procedure for the Management of Data Security & Protection Incidents (DSPI).
Legal Framework
UK Data Protection Act 2018.
EU General Data Protection Regulation 2016.
Computer Misuse Act 1990.
Freedom of Information Act 2000.
Environmental Information Regulations 2004.
Health and Safety at Work Act 1974.
Human Rights Act 1998.
Health & Social Care (Safety & Quality) Act 2015.
NHS Act 2006.
Conditions of Contract.
Privacy and Electronic Communications Regulations 2003.
Code of Practice for Responding to Requests for
Page 2
Version 7.0
Information
Code of Practice for Responding to Requests for Information
For more information on this document please contact:
The Department for Information Governance, Caldicott & SIRO Support
Sheffield Teaching Hospitals NHS Foundation Trust
2 Claremont Place
SHEFFIELD
S10 2TB
Tel: 0114 226 5151
E-mail:
xxx.xxxxxxx@xxx.xxx
Intranet Site:
http://nww.sth.nhs.uk/NHS/InformationGovernance/
Version Control
Version
Date issued
Brief summary of change
Owner’s name
3.0
09/08/11
Reviewed by IGCS, Reformat into new controlled document layout.
Peter Wilson
No changes were made to the document following the review.
4.0
13/02/14
Reviewed with no material changes.
Peter Wilson
5.0
12/03/18
Reviewed with no material changes.
Neil Burden
6.0
23/05/19
Review and updates to Information Governance email address for
Neil Burden
NHSmail and added IG web-site address.
7.0
12/05/22
Reviewed with no material changes.
Neil Burden
Document Imprint
Copyright ©Sheffield Teaching Hospitals NHS Foundation Trust 2022: All Rights Reserved
Re-use of all or any part of this document is governed by copyright and the “Re-use of Public Sector Information
Regulations 2015. SI 2015 No 1415
Information on re-use can be obtained from:
The Department for Information Governance, Caldicott & SIRO Support, Sheffield Teaching Hospitals
Tel: 0114 226 5151. E-m
ail xxx.xxxxxxx@xxx.xxx
Code of Practice for Responding to Requests for
Page 3
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Executive Summary
Code of Practice for Responding to Requests for information
Document Objectives
Code of Practice to enable a managed response to Freedom of Information (FoI) requests throughout the Trust,
ensuring that the Trust carries out its responsibilities within the FoI legislation.
Group/Persons Consulted
Information Governance Committee, Informatics Directorate and the Caldicott Guardian.
Monitoring Arrangements and Indicators
Issued electronically by the Information Governance department and the document is available on the Trust
Intranet.
Training Implications
To be included as part of staff training, awareness and induction at all organisation levels. The Code of Practice
for Responding to Requests for Information forms part of the Information Governance Training Modules that are
available online and via the Trusts Personal Achievement and Learning Management System (PALMS) and the
Electronic Staff Record (ESR).
Equality Impact Assessment
Completed and signed off.
Resource Implications
Staff familiarisation with the Policy: Training and monitoring.
Intended Recipients
All staff.
Who should
Be
aware of the document and where to access it.
All staff (including temporary staff, locums, those on a short-term contract or those that hold a letter of
authority).
Understand the document.
Senior Managers.
Have a
good working knowledge of the document
All Senior Managers, SIRO, Caldicott Guardian, Director of Informatics and the staff of IGCS.
Code of Practice for Responding to Requests for
Page 4
Version 7.0
Information
link to page 6 link to page 6 link to page 7 link to page 7 link to page 7 link to page 7 link to page 7 link to page 8 link to page 8 link to page 8 link to page 8 link to page 8 link to page 9 link to page 9 link to page 9 link to page 10 link to page 10 link to page 10 link to page 10 link to page 11 link to page 11 link to page 11 link to page 11 link to page 11 link to page 13 link to page 14 link to page 15 link to page 16 link to page 18 link to page 20 link to page 21
Code of Practice for Responding to Requests for Information
Contents
Section
Page
1.
Definitions
6
2.
Introduction
6
3.
Data Protection Act 2018
7
4.
Responsibilities
7
4
.1. Director of Service Development
7
4
.2. Information Governance Department
7
4
.3. Directorates and Departments
7
4
.4. Directorate and Departmental Record Managers
8
4
.5. Trust Staff
8
5
Procedure for Responding to Requests for Information (RFI's) under the Act
8
5
.1. General
8
5
.2. Initial Request – assisting the Applicant
8
5
.3. Action by Information Governance Department
9
5
.4. Action by Directorates and Departments
9
5
.5. Response by Information Governance Department
9
5
.6. Timescale for Responding to Requests
10
5
.7. Fee Charging
10
5
.8. Notification of Complaints Procedure
10
5
.9. Refusal of Request
10
5.10
. Contracts and 3rd Party Confidence
11
5.11
. Requests as organised campaigns
11
6.
Complaints Procedure
11
7.
Review of the Code of Practice
11
8.
Trust Contacts
11
Appendix A
Assisting Applicants and Dealing with Requests
13
Appendix B
Consultation with Third Parties
14
Appendix C
Fee Regulations
15
Appendix D
Refusal of Requests
16
Appendix E
Complaints – Description of Procedures
18
Appendix F
Freedom of Information (FOI) Request for Information Flowchart
20
Appendix G
Equality Impact Assessment
21
Code of Practice for Responding to Requests for
Page 5
Version 7.0
Information
Code of Practice for Responding to Requests for Information
1. Definitions
1.1. Throughout this document the following terms are used:
•
"The Act" means the Freedom of Information Act 2000.
•
“Commissioner” means the Information Commissioner, the regulatory body for the Act.
•
"DPA" means the Data Protection Act 2018 which relates to the processing of personal data.
•
"RFI" means a written request for information under the provisions of the Act.
•
“The Trust” means the Sheffield Teaching Hospitals NHS Foundation Trust.
•
“MOJ” means the Ministry of Justice, responsible for the Act.
•
“IGCS” means the Department for Information Governance, Caldicott & SIRO Support.
2. Introduction
2.1. This Code of Practice (see note 1) provides guidance on the handling of requests for information
submitted under the Freedom of Information Act 2000 ('the Act'). It supplements the Trust's Freedom
of Information Policy and a parallel Code of Practice which provides guidance on the implementation
of records management in the Trust.
2.2. The Act requires that institutions implement and maintain an effective system for responding to
requests for information. The Trust is such a public authority under the Act. The Trust's Policy on
Freedom of Information is that it will comply fully with the Act, and it will place in the public domain
as much information about its activities as is practicable, and subject to the exemptions permitted
under the Act will make all other information available on request. In particular, it will conform to the
Secretary of State for Justice & Constitutional Affairs’ Code of Practice on the discharge of public
authorities’ functions made under Section 45 of the Act.
2.3. That Code of Practice requires the Trust to:
•
The Trust has a publication scheme
– Freedom of Information. This provides advice and
assistance to persons making requests for information.
•
Deal with all requests within 20 working days of receipt of request, after receipt of any fees in
accordance with the Secretary of State for Constitutional Affairs’ Fee Regulations and justify
any refusal of a request.
•
Assist a person making a request, when the information they are seeking is held by
another public authority.
•
Consult with third parties before releasing any data that may affect them.
•
Consult with third parties where it might enable the Trust in determining if and how the
information should be released.
•
Have a complaints procedure to deal with any complaints made about its Publication
Scheme, or the handling or result of an individual application.
2.4. The Trust details the classes of information that it has chosen to make publicly available, together
with details of how the information can be obtained and any associated cost.
1 Code of Practice issues under section 45 of the Freedom of Information Act 2000, providing guidance to
public authorities on the discharge of their functions and responsibilities under Part I (Access to information
held by public authorities) of the Act. The FOI Code of Practice can be found here
Code of Practice for Responding to Requests for
Page 6
Version 7.0
Information
Code of Practice for Responding to Requests for Information
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/744071/
CoP_FOI_Code_of_Practice_-_Minor_Amendments_20180926_.pdf.
2.5. The Trust regularly receives requests for information as part of the normal course of business.
Members of staff will be expected to continue dealing with these requests as normal.
2.6. This Code of Practice relates solely to requests for information where a member of the Trust is unable
or unwilling to respond to the request or the request is explicitly made under the Act and the
information requested is not covered in the Trust's Publication Scheme. All requests of this nature
must be passed to the Department for Information Governance, Caldicott & SIRO Support (IGCS) as a
matter of urgency. The IGCS will then consider the request and work with the appropriate
directorates and departments to locate the information. The IGCS will also consider any exemptions
that might apply to releasing the information and determine any associated fees.
3. Data Protection Act 2018
3.1. The provisions of the DPA always take precedence over those of the Freedom of Information Act
2000. Personal information must always be obtained, processed, stored and disclosed in
accordance with the DPA, even where a request for information has been made under the
provisions of the Freedom of Information Act.
4. Responsibilities
4.1. Director of Service Development.
The Director of Service Development has executive responsibility for the overall management of
the system and procedures.
4.2. The Department for Information Governance & Caldicott Support (IGCS).
The IGCS is responsible for:
•
Working with directorates and departments to ensure they are aware of their
responsibilities under the Act.
•
Ensuring all requests under the Act are handled in accordance with the Trust's Freedom of
Information Policy and Codes of Practice.
•
Assisting and advising individuals and organisations making requests under the Act.
•
Ensuring that, in considering requests for information and accepting or refusing them, the
public interest is properly assessed, and exemptions are properly applied.
•
Ensuring information is released within the timescales specified within this Code of
Practice (see paragraph 5.6)
•
Maintaining the Publication Scheme.
•
Keeping the Trust's Freedom of Information Policy and Codes of Practice under review.
•
Retrieval of information in long-term storage.
•
Liaising with directorates and departments to retrieve information held by them locally.
•
Maintaining the Freedom of Information databases.
4.3. Directorates and Departments.
Directorates and Departments are responsible for:
•
Ensuring that they comply with these procedures and that local arrangements are in
place to this end.
•
Appointing Directorate and Departmental Records Managers.
Code of Practice for Responding to Requests for
Page 7
Version 7.0
Information
Code of Practice for Responding to Requests for Information
4.4. Directorate and Departmental Records Managers.
Directorate and Departmental Records Managers are responsible for:
• Ensuring that all requests for information are passed on promptly to the IGCS and
systems are in place for checking and, if necessary, redirecting the post and electronic mail
of staff absent from Trust.
•
Assisting the IGCS in locating and retrieving information.
•
Assisting the IGCS in drafting the Trust's response to a request and preparing the
information in a suitable form, electronic or physical, for disclosure to the applicant.
•
Informing the IGCS of changes to any information covered by the Publication Scheme,
including changes to URL addresses.
4.5. Trust Staff.
Individual Trust Staff are responsible for:
•
Knowing their responsibilities under the Act.
•
Ensuring that, when they are absent from Trust for any reason, arrangements are in place
for their post and electronic mail to be checked or redirected to someone who can deal with
it promptly.
•
Responding to requests for information and, if they are unwilling or unable to do so in
their normal course of work, referring the request to the Directorate and Departmental
Records Manager.
•
Seeking advice when they are uncertain on how to respond to a request.
5. Procedure for Responding to Requests for Information (RFI's) under the Act
5.1. General.
All RFI’s under the Act must be directed to the IGCS in the first instance and they will then
determine how each request is handled. This is in line with current procedures for managing full
subject access requests under the DPA, where Directorates and Departments assist in retrieving
information and supplying it to the IGCS. The IGCS will then make the Trust’s formal response to
such requests. [A flowchart outlining the process for dealing with requests is in shown in
Appendix G.]
5.2. Initial Request – Assisting the Applicant.
•
There is an obligation on the Trust to provide advice and assistance to those making requests
under the Act. The duty on the Trust is to provide advice and assistance "so far as it would be
reasonable to expect [it] to do so".
•
Not all potential applicants will be aware of the Act, or Regulations made under it. Trust
staff receiving requests should draw these to the attention of potential applicants who
appear to be unaware of them or refer to the IGCS.
•
A request for information under the Act must be made in writing (which can include e- mail).
Where a person is unable to submit a written request, they should be referred to the IGCS.
•
A request for environmental information may be made verbally as well as in writing or by e-
mail. In such cases staff should refer the requestor to their manager.
•
Further details on assisting applicants and dealing with requests can be found in
Appendix A.
Code of Practice for Responding to Requests for
Page 8
Version 7.0
Information
Code of Practice for Responding to Requests for Information
5.3. Action by the Department for Information Governance, Caldicott & SIRO Support.
•
The IGCS is responsible for assisting applicants requesting information under the Act and
ensuring the requests are processed both in accordance with the Act and the Trust’s Policy
and Codes of Practice. Further details can be found in Appendix A.
•
Procedure for Identifying where information is held:
o
Documents stored electronically will be accessed via the information owner.
o
The IGCS will then be responsible for using the information and fulfilling the request.
•
Identify with the information owner any information located in long-term storage.
•
When the Trust does not hold the information. There may be circumstances when the
Trust does not hold some or all of the information requested by the applicant. In this case
the Trust will provide what it does hold but will also:
o Redirect the applicant to enable them to pursue their request where it is believed
another Public Authority holds some or all of the information,
o Provide advice and assistance to the applicant to enable them to pursue their request
where the Trust does not know who owns some or all of the information.
5.4. Action by Directorates and Departments.
The Directorate or Department will:
• Assist the IGCS to locate and retrieve the information requested.
•
Advise the IGCS if they believe there are any reasons why the information should be
withheld.
5.5. Response by Department for Information Governance, Caldicott & SIRO Support.
The IGCS will respond to all requests and release information having first:
• Ensured that information released complies with the DPA and the Freedom of Information
Act 2000.
•
Considered whether the information requested, or any part thereof is subject to an
exemption under the Act.
•
Consulted with third parties, where appropriate. Further details can be found in
Appendix B.
•
Shared any requests from the Press with the Trust Communication Department.
Code of Practice for Responding to Requests for
Page 9
Version 7.0
Information
Code of Practice for Responding to Requests for Information
5.6. Timescale for Responding to Requests.
•
The Act requires that replies to requests for information be made within 20 working days,
after the payment of any fee. Those dealing with requests must do so promptly and not
delay responding until the end of the 20-working day period if the information can
reasonably be provided earlier.
•
The IGCS aims to make all decisions within 20 working days, including those where it needs
to consider where the public interest lies in respect of an application for exempt
information.
•
In those instances when it is not possible for the IGCS to deal with an application
within 20 working days they must:
o
Give an estimate of the date by which they expect to reach such a decision.
o
Ensure that their estimates are realistic and reasonable in the circumstances of the
particular case taking into account, for example, of the need to consult third parties
where this is necessary.
o
Comply with their estimates unless there are good reasons not to do so. If they exceed
their estimate, they should apologies to the applicant and explain the reason(s) for the
delay. If they find while considering the public interest, that the estimate given is proving
unrealistic, they must keep the applicant informed. They must keep a record of instances
where estimates are exceeded and where this happens more than occasionally, take
steps to identify the problem and rectify it.
5.7. Fee Charging.
The Trust has discretion to charge applicants a fee in accordance with the Fees Regulations in
respect of requests made under the general right of access.
See –
https://ico.org.uk/media/1635/fees_cost_of_compliance_exceeds_appropriate_limit.pdf
Further details can be found in Appendix C.
5.8. Notification of the Complaints Procedure.
When communicating any decision made in relation to a request under the Act's general right of
access, the Trust is obliged to notify the applicant of their right of complaint. The IGCS will provide
details of the complaint’s procedure, including how to make a complaint and must inform the
applicant of their right to complain to the Information Commissioner if they are still dissatisfied
following the Trust’s review.
5.9. Refusal of Request.
Where the Trust relies on an exemption to refuse a request for information, IGCS must inform the
applicant which exemption has been claimed, and why that exemption applies. It must not merely
paraphrase the wording of the exemption. (Unless the statement would involve the disclosure of
information which would itself be exempt information).
The Act also requires the Trust, when withholding information (other than under an "absolute"
exemption), to state the reasons for claiming that the public interest test in maintaining the
exemption outweighs the public interest test for disclosure.
The Trust must specify the public interest factors (for and against disclosure) that have been
taken into account before reaching the decision. Further details on the exemptions that may be
claimed under the Act are in Appendix D.
Code of Practice for Responding to Requests for
Page 10
Version 7.0
Information
Code of Practice for Responding to Requests for Information
5.10. Contracts and 3rd Party Confidence.
The Trust should only accept information from third parties in confidence if it is necessary to
obtain that information in connection with the exercise of any of its functions and it would not
otherwise be provided. In addition, the Trust should not agree to hold information received from
third parties "in confidence" which is not confidential in nature. Acceptance of any confidentiality
provisions must be for good reasons, capable of being justified to the ICO. Further details are
given in Appendix D.
5.11. Handling Requests for Information which "appear to be part of an organised campaign".
The Trust is not required to comply with a number of related requests where the cumulative cost
of complying with the requests would exceed the "appropriate limit" (i.e. cost threshold)
prescribed in the MOJ Fees Regulations. In such cases the Trust must consider whether the
information could be disclosed in another, more cost-effective, manner. For example, publication
on the Trust’s website, and a brief notification of the website reference to each applicant, might
bring the cost within the appropriate limit.
6. Complaints Procedure
The complaints procedure may be used by any person who considers that the Trust is not
complying with its Publication Scheme, or who wishes to complain about the handling or
outcome of their request. Further details are in Appendix E.
7. Review of the Code of Practice
7.1. For monitoring purposes, the IGCS will keep a record of all applications. This will include
applications where all or part of the requested information is withheld. In addition to a record of
the numbers of applications involved where information is withheld, senior managers in the Trust
need information on each case to determine whether cases are being properly considered, and
whether the reasons for refusals are sound. The IGCS will also keep a record of all complaints and
of their outcome.
7.2. The Code of Practice and Procedures will be reviewed annually as part of the review of the main
Policy. The review will also monitor appropriate statistics, complaints and procedures for dealing
with requests for information.
7.3. The IGCS will consider whether the Publication Scheme can be updated to include any material that
is the subject of repeat requests
8. Trust Contacts
8.1. Any enquiries about this Code of Practice or for more details on the Trust's Freedom of
Information Policy and Model Publication Scheme should be directed to:
The Department for Information Governance, Caldicott & SIRO Support
Sheffield Teaching Hospitals NHS Foundation Trust
2 Claremont Place
SHEFFIELD
S10 2TB
Tel: 0114 226 5151
E-mail:
xxx.xxxxxxx@xxx.xxx
Intranet Site:
http://nww.sth.nhs.uk/NHS/InformationGovernance/
Code of Practice for Responding to Requests for
Page 11
Version 7.0
Information
Code of Practice for Responding to Requests for Information
8.2. In the first instance the contact for any complaints in relation to the Publication
Scheme or a request for information should be directed to:
The Department for Information Governance, Caldicott & SIRO Support
Sheffield Teaching Hospitals NHS Foundation Trust
2 Claremont Place
SHEFFIELD
S10 2TB
Tel: 0114 226 5151
E-mail:
xxx.xxxxxxx@xxx.xxx
Intranet Site:
http://nww.sth.nhs.uk/NHS/InformationGovernance/
8.3. Any complainant who considers that their complaint has not been satisfactorily dealt with should
address their complaint in writing to the official regulator for the Freedom of Information Act
Information Commissioner Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
https://ico.org.uk/
Code of Practice for Responding to Requests for
Page 12
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Appendix A – Assisting Applicants and Dealing with Requests
1. When a person is unable to submit a written request, the IGCS will provide further assistance.
Depending on the circumstances, appropriate assistance might include:
• Advising the applicant who else might be able to assist them, for example Citizen’s Advice
Bureau or the Information Commissioners Office. In exceptional circumstances, offering to take
a note of the application over the phone and then sending the note to the applicant for
confirmation.
2. Where the request is vague or ambiguous the Trust is obliged, as far as practicable, to assist the
applicant in clarifying the request. The purpose of this is to clarify the nature of the information
sought, not to determine the aims or motivation of the applicant. This may include providing:
• An outline of the different kinds of information which might meet the terms of the request.
• A general response to the request setting out options for further information which could be
provided on request.
• Access to detailed catalogues and indexes, where available, to help the applicant ascertain the
nature and extent of the information held by the authority.
3. If following the provision of such assistance, the applicant is still unable to describe the information
requested in a way that would enable the Trust to identify and locate it; the Trust is not expected to
seek further clarification. It is, however, required to disclose any information that has been
successfully identified and explain to the applicant why it cannot take the request any further. It
must also provide the applicant with details of the Trust’s Complaints Procedure.
4. Where the applicant is not prepared to pay the appropriate fee, the Trust should nevertheless
consider whether there is any information that may be of interest to the applicant that is available
free of charge.
5. Where the Trust is not obliged to supply the information requested because the cost of doing so
would exceed the "appropriate limit" (i.e., cost threshold), and where the Trust is not prepared to
meet the additional costs itself, it should nevertheless provide an indication of what information
could be provided within the cost ceiling.
6. The Trust is not expected to provide assistance to applicants whose requests are deemed vexatious
within the meaning of the Act.
Code of Practice for Responding to Requests for
Page 13
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Appendix B – Consultation with Third Parties
1. In some cases, the disclosure of information pursuant to a request may affect the legal rights of a third
party, for example where information is subject to the common law duty of confidence or where it
constitutes "personal data" within the meaning of the DPA. Members of staff must always remember
that, unless an exemption provided for in either the DPA or the Freedom of Information Act applies in
relation to any particular information, it will be obliged to disclose that information in response to a
request.
2. In some cases, a disclosure of information cannot be made without the consent of a third party (for
example, where information has been obtained from a third party and in the circumstances the
disclosure of the information without their consent would constitute an actionable breach of confidence
such that the exemption at Section 41 of the Act would apply). In such instances, members of staff must
consult that third party with a view to seeking their consent to the disclosure unless such a consultation
is not practicable (for example because the third party cannot be located or because the costs of
consulting them would be disproportionate).
3. Where information constitutes "personal data" within the meaning of the DPA, staff must have regard to
Section 40 of the Act which makes detailed provision for cases in which a request relates to such
information and the interplay between the Act and the DPA in such cases.
4. Where the interests of the third party who may be affected by a disclosure do not give rise to legal
rights, consultation may still be appropriate.
5. Consultation should take place where:
•
The views of the third party may assist the Trust to determine whether an exemption
under the Act applies to the information requested; or
•
The views of the third party may assist the Trust to determine where the public interest
lies under Section 2 of the Act.
6. Members of staff may consider that consultation is not appropriate where the cost of consulting with
third parties would be disproportionate. In such cases, staff must consider taking a reasonable course of
action in light of the requirements of the Act and the individual circumstances of the request.
7. Consultation will be unnecessary where:
•
The Trust does not intend to disclose the information relying on some other legitimate
ground under the terms of the Act.
•
The views of the third party can have no effect on the decision of the authority, for
example, where there is other legislation preventing or requiring the disclosure of this
information.
•
No exemption applies and so, under the Act's provisions, the information must be
provided.
8. Where the interests of a number of third parties may be affected by a disclosure and those parties
have a representative organisation which can express views on behalf of those parties, the Trust may,
if it considers consultation appropriate, consider that it would be sufficient to consult that
representative organisation. If there is no representative organisation, the Trust may consider that it
would be sufficient to consult a representative sample of the third parties in question.
9. The fact that the third party has not responded to consultation does not relieve the Trust of its duty to
disclose information under the Act, or its duty to reply within the time specified in the Act.
10. In all cases, it is for the Trust, not the third party (or representative of the third party) to determine
whether or not information should be disclosed under the Act. A refusal to consent to disclosure by a
third party does not, in itself, mean information should be withheld.
11. It is likely that many requests of this type will involve consultation with the NHS Trusts that the
Trust has relationships with. In these cases, the Trust may wish to ensure that a co-ordinated
response is adopted to ensure that any exemptions are properly assessed.
Code of Practice for Responding to Requests for
Page 14
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Appendix C – Fee Regulations
1. In dealing with any request for information under the Act the Trust is able to charge fees in
accordance with the Freedom of Information Fee Regulations.
https://ico.org.uk/media/1635/fees_cost_of_compliance_exceeds_appropriate_limit.pdf
2. The costs to be taken into account by the Trust when determining any fee to be charged are:
• The prescribed costs, meaning any costs reasonably incurred by the Trust in determining whether
it holds information of the description specified in the request, in locating and retrieving any such
information and in giving effect to any preference expressed by the applicant as to the means of
communication of such information, including the cost of associated staff time, but does not
include the cost of staff time incurred in determining whether the Trust is obliged to comply with
the request for information; and
• The disbursements meaning any costs directly and reasonably incurred by the Trust in informing the
applicant whether it holds information of the description specified in the request and in
communicating any such information to him:
• what would be incurred by the Trust in complying with the request for information to which
the fee relates.
Calculation of an Appropriate Fee The Trust does not have to comply with a request for information if it estimates that the cost of complying
with the request would exceed the appropriate limit which is £450 (based on the MOJ regulations of a
notional cost of 18 hours’ work at £25.00p per hour).
3. Where the cost of complying with a request exceeds the appropriate limit then the Trust may still decide
to comply with the request. In this case then the Trust shall follow one of the following arrangements:
• provide the information at no charge.
• charge the full cost.
• charge the difference between the total cost and the appropriate limit.
Aggregation of costs
4. Where two or more requests for information are made to the Trust and:
• the two or more requests referred to in that section are for information which is on the same
subject matter or is otherwise related.
• the last of the requests is received by the Trust before the twentieth working day following
the date of receipt of the first of the requests; and
• it appears to the Trust that the requests have been made in an attempt to ensure that the
prescribed costs of complying separately with each request would not exceed the appropriate
limit.
then the estimated cost of complying with any of the requests is to be taken to be the estimated total cost
of complying with all of them.
Disbursements
5. The Trust will not charge for disbursements under £25.00.
Code of Practice for Responding to Requests for
Page 15
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Appendix D – Refusal of Requests
1. Some of the information held by the Trust may be regarded as exempt information i.e., it will not have
to be provided in response to an individual request. There are 23 such exemptions and they relate to
information held for a variety of functions. These include national security, law enforcement,
commercial interests and personal data. The IGCS will be responsible for deciding if an exemption is
applicable.
2. Before relying on an exemption, the IGCS will usually be obliged to consider two further points. First,
some of the exemptions can only be claimed if the release of the information would prejudice the
purpose to which the exemption relates. Thus, information held in connection with law enforcement can
only be withheld if its release would, for example, prejudice the prevention or the detection of a crime.
Secondly, some of the exemptions also require the IGCS to apply the "public interest" test before making
a final decision as to whether or not to release the information. The public interest test requires the Trust
to consider whether the public interest in withholding the exempt information outweighs the public
interest in releasing it.
3. Most of the exemptions will require the IGCS to consider both the test of prejudice and the public
interest test. However, care must be taken to determine if a specific exemption can be relied upon. It
should be noted that only the information to which an exemption applies would be withheld. Thus, if a
particular document had been requested which contained some exempt information, only those
specific items of exempt information could be withheld. The rest of the document would still have to be
released.
Contracts
4. When entering into contracts the Trust should refuse to include contractual terms which purport to
restrict the disclosure of information held by the Trust and relating to the contract beyond the
restrictions permitted by the Act. The Trust cannot "contract out" its obligations under the Act. Unless
an exemption provided for under the Act is applicable in relation to any particular information, the Trust
will be obliged to disclose that information in response to a request, regardless of the terms of any
contract.
5. When entering into contracts with non-public authority contractors, the Trust may be under pressure to
accept confidentiality clauses so that information relating to the terms of the contract, its value and
performance will be exempt from disclosure. The Trust should reject such clauses wherever possible.
Where, exceptionally, it is necessary to include nondisclosure provisions in a contract, an option could
be to agree with the contractor a schedule of the contract that clearly identifies information, which
should not be disclosed. However, the Trust will need to take care when drawing up any such schedule
and be aware that any restrictions on disclosure provided for could potentially be overridden by its
obligations under the Act, as described in the paragraph above.
6. In any event, the Trust should not agree to hold information 'in confidence' which is not in fact
confidential in nature. It should be aware that the exemption provided for in the Act only applies if
information has been obtained by the Trust from another person, and the disclosure of the information
to the public, other than under the Act, would constitute a breach of confidence actionable by that, or
any other, person.
7. Any acceptance of such confidentiality provisions must be for good reasons and capable of being
justified to the Commissioner.
Code of Practice for Responding to Requests for
Page 16
Version 7.0
Information
Code of Practice for Responding to Requests for Information
8. It is for the Trust to disclose information pursuant to the Act, and not the non-public authority
contractor. However, the Trust may wish to protect from disclosure by the contractor, by appropriate
contractual terms, information which it has provided to the contractor, which would clearly be exempt
from disclosure under the Act, by appropriate contractual terms. In order to avoid unnecessary secrecy,
any such constraints should be drawn as narrowly as possible and according to the individual
circumstances of the case. Apart from such cases, the Trust should not impose terms of secrecy on
contractors.
9. The Act empowers the Secretary of State for Justice & Constitutional Affairs to designate, as public
authorities for the purposes of the Act, persons (or bodies) who provide under a contract made with a
public authority, any service whose provision is a function of that authority. Thus, some non-public
authority contractors will be regarded as public authorities within the meaning of the Act, although only
in respect of the services provided under the specified contract. As such, and to that extent, the
contractor will be required to comply with the Act like any other public authority.
Code of Practice for Responding to Requests for
Page 17
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Appendix E – Complaints
Description of Review Procedure
1. Under the Secretary of State for Constitutional Affairs Code of Practice on the discharge of public
authorities’ functions made under Section 45 of the FOI Act, each public body is required to have a
means of dealing with those expressing dissatisfaction with the public authority’s actions in response to
a Request for Information (RFI). In line with the recommendations contained within Section 45,
Sheffield Teaching Hospitals NHS Foundation Trust has in place a review procedure to be followed if a
requester is dissatisfied with a response.
2. This review procedure is not part of the Trust’s Patients complaints policy.
Receipt of correspondence
3. Any written correspondence from an applicant (including one transmitted by electronic means)
expressing dissatisfaction with the Trust’s response to a valid request for information should be treated
as a complaint, as should any written communication from a person who perceives the Trust is not
complying with the current Publication Scheme methodology. These communications should be handled
in accordance with the procedure outlined below, even if, in the case of a request for information under
the general right of access, the applicant does not state his or her desire for the Trust to review its
decision or its handling of the application.
4. In all cases, complaints should be acknowledged, and the complainant should be informed of the Trust’s
target date for determining the complaint. Where it is apparent that determination of the complaint will
take longer than the target time (for example because of the complexity of the particular case), staff
must inform the applicant and explain the reason for the delay. The complainant should always be
informed of the outcome of his or her complaint.
5. The Trust can set its own target times for dealing with complaints, but these must be reasonable,
defensible, and subject to regular review. The Trust must publish its target times for determining
complaints and information as to how successful it is with meeting those targets.
Outcome
6. Where the outcome of a complaint is that information should be disclosed which was previously
withheld, the information in question should be disclosed as soon as practicable and the applicant
should be informed how soon this will be.
7. Where the outcome of a complaint is that the Trust’s staff have not properly followed the
procedures within the Trust, the Trust should apologise to the applicant. The Trust should also take
appropriate steps to prevent similar errors occurring in future.
8. Where the outcome of a complaint is that an initial decision to withhold information is upheld, or is
otherwise in the Trust's favour, the applicant should be informed of his or her right to apply to the
ICO and be given details of how to make an application, for a decision on whether the request for
information has been dealt with in accordance with the requirements of the Act.
Code of Practice for Responding to Requests for
Page 18
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Stage 1
9. The IGCS will deal with any initial complaint in an informal manner. If a complaint cannot be dealt with
satisfactorily on an informal basis, the IGCS will inform the complainant about the Trust’s procedure for
dealing with complaints about its actions in respect requests for information and in accordance with
the MOJs Code of Practice under Section 45 of the Act and how he or she may contact the ICO if he or
she wishes to do so. The IGCS must also explain that although the complainant cannot apply to the ICO
for a decision until the Trust’s Review Procedure has been exhausted, the ICO might investigate the
matter at his or her discretion.
10. All complaints at this stage must normally be dealt with promptly.
Stage 2
11. Where the complaint concerns a request for information under the general right of access, a person
who was not a party to the original decision, where this is practicable, should handle the review.
12. The Reviewer or the Review Team must respond to all complaints within 20 working days from the first
working day after the complaint was received.
13. If the applicant is still not satisfied, then they may pursue their complaint with the Information
Commissioner.
Code of Practice for Responding to Requests for
Page 19
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Appendix F
Code of Practice for Responding to Requests for
Page 20
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Appendix G
INITIAL EQUALITY IMPACT ASSESSMENT PROFORMA FOR POLICY
POLICY: Code of Practice for Responding to Requests for Information
Equality Impact Assessment completed by: Peter Wilson
Date: 29/05/19
Who has been consulted?
Department of Information Governance, Caldicott & SIRO Support.
Information Governance, Caldicott & SIRO Support Manager.
Information Security Manager.
Information Governance Committee.
Trust SIRO.
Equality and Human Rights Manager, STH.
Describe the aims, objectives and purpose of the policy service being assessed:
To ensure the Trust has a full ratified code of practice which supports the Freedom of Information Policy and the
Information Governance Management Framework (IGMF) with regard to answering requests under the terms of
the Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
To ensure that the legal and contractual obligations of the legislation is clearly understood by all staff and that
the requirements in such use are met.
This is further supported by the controls in the Data Security and Protection Toolkit (DSPT), the Trust
Confidentiality – Staff Code of Conduct, The Mandated Procedures for the Transfer of Personal Confidential Data
(PCD) and other Sensitive or Confidential Information, the Information Security Policy the Information Risk
Management Policy and the employee contract of employment.
Who is intended to benefit?
All employees
Code of Practice for Responding to Requests for
Page 21
Version 7.0
Information
Code of Practice for Responding to Requests for Information
Does the policy have any differential impact on the following equality areas?
Positive, Negative or
Supporting evidence/data
Neutral Impact
Race/Ethnicity
Neutral
Gender (including pregnancy/
Neutral
maternity and gender
reassignment)
Disability
Neutral
Religion or belief
Neutral
Sexual orientation
Neutral
Age
Neutral
Dignity & Human Rights
Neutral
Social Deprivation / Tackling Health Neutral
Inequality
Please identify what further action is required e.g., collection of data, full impact assessment
Action
Timescale
Lead Person
Approved by: Neil Burden Date of review: 12/05/22
Code of Practice for Responding to Requests for
Page 22
Version 7.0
Information