Responding to Freedom of Information (FOI) requests correctly and within mandated timescales is an important part of complying with the principles of transparency and accountability under the GDPR and the Freedom of Information Act 2000. We have put together the following tips, along with potential pitfalls schools should avoid.
Top tips for responding to FOI requests
- Understand the requirements of the FOI Act
Familiarise yourself with the Freedom of Information Act 2000 and your obligations. This includes understanding what constitutes a request, what information is covered, and the timeframes for responses.
- Establish an FOI Policy
Develop a clear FOI policy that outlines how your school will handle requests. This should include roles and responsibilities, procedures for acknowledging requests, and how to gather information.
- Designate an FOI Officer
This is likely be your DPO or Data Protection Champion, alternatively you can appoint a designated FOI officer or team responsible for managing requests. This ensures there is a clear point of contact and accountability.
- Respond promptly
The FOI Act requires schools to respond to requests within 20 working days. Ensure that your processes allow for timely responses and consider setting internal deadlines to meet this requirement. It is good practice to acknowledge receipt of FOI requests as soon as possible. This helps manage the requester’s expectations and underscores your commitment to transparency.
- Conduct a thorough search
Ensure a comprehensive search for the requested information. This includes checking both electronic and paper records. Involve relevant staff members as needed.
- Redact information carefully
If redactions are necessary, ensure that they are done appropriately and clearly explain the reasons for withholding any information to the requester.
- Review information before disclosure
Assess the information for any exemptions that may apply under the FOI Act (personal data, commercial interests, or information intended for future publication). The ICO recently issued a reprimand to Southend-on-Sea City Council in Essex after hidden data on a spreadsheet released as part of a freedom of information request revealed the sensitive personal details of staff.
- Keep detailed records
Maintain a log of all FOI requests received, along with details of how they were handled. You should ensure that if you use exemptions you detail which exemption you are using and how it applies to your scenario. This is important for auditing purposes and can help improve processes over time.
- Communicate clearly
When you do respond, use clear, plain language. If any information is withheld, provide a clear explanation of the reasons why, including citing relevant sections of the legislation where appropriate.
- Include guidance on re-use of information you provide
If applicable, inform the requester about any right they may or may not have to re-use the information under the Re-use of Public Sector Information Regulations (RPSI), you can find guidance on this from the ICO.
- Seek legal advice as needed
If you are unsure about any aspect of handling an FOI request, particularly regarding exemptions and data protection issues, seek legal advice to ensure compliance.
Possible pitfalls schools can easily avoid
- Ignoring requests: ignoring or failing to respond to FOI requests can lead to serious repercussions, including complaints to the ICO and reputational damage so make sure you acknowledge and respond within mandated timescales. The ICO have released their decisions on 16 complaints about FOI responses from Education Organisations since November 2024.
- Incomplete searches: failing to conduct a thorough search for information may result in incomplete replies, leading to repeated requests or complaints taking up more of your valuable resources.
- Citing exemptions incorrectly: mis-applying exemptions can lead to further requests for information or complaints. Make sure you understand when and how to apply exemptions, seek advice if you are unsure.
- Failure to document decisions: not keeping records of FOI requests and the decisions made can hinder future audits and reviews. Documentation is an important part of compliance with the accountability principle of the GDPR so make sure you maintain a log of FOI requests, just as you do for Subject Access Requests (SARs). If you are using the GDPRiS platform you will already be familiar with logging and managing information requests.
- Poor communication: lack of clear communication with the requester can lead to misunderstandings or dissatisfaction, increasing the likelihood of complaints, adding to the time you need to dedicate to the request.
- Dis-regarding Data Protection: overlooking the implications of data protection law and the GDPR, particularly when handling personal data, can lead to breaches, reputational damage and potential legal issues.
- Delays in response: failing to respond within the statutory timescales almost always results in a complaint to the ICO. Consistently monitor timelines and internal processes to prevent delays. If you are using GDPRiS, you will already be able to keep on top of this easily with its timely count-down notifications.
- Not reviewing policies regularly: failing to regularly review and update FOI policies can result in outdated practices that do not comply with current regulations.
- Failure to ensure staff know how to use systems and software: staff not only need to understand how to log, manage and respond to FOIs, it is important that any staff tasked with dealing with information requests receive appropriate system and software training to allow them to fulfil the request properly.
By avoiding these pitfalls, your school can manage FOIs more effectively and efficiently, not only fulfilling its legal obligations but saving time and building trust across your school community and the wider public. Regular training and reviews of processes will further enhance your school's capability to respond to FOI requests and your overall compliance with legislation.