The Freedom of Information (FOI) Act 2000 provides public access to information held by public authorities. It does this in two ways:
• Public authorities are obliged to publish certain information about their activities
• Members of the public are entitled to request information from public authorities
The Act covers any recorded information* that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland.
*It should be noted that personal information will be exempt from release under this legislation as it is protected by the Data Protection Act 2018 and GDPR regulations.
Recorded information
The Act covers all recorded information held by a public authority, which might include but is not limited to:
Printed documents
Computer files
Letters
Emails
Notes
Photographs
Sound or video recordings, for example, telephone conversations or CCTV
Recorded information is not limited to official documents nor is it limited to information you create, so it also covers, for example, letters you receive from members of the public, although there may be a good reason not to release them or to release only parts of the information within documents, for example parts of an email including personal details may not be visible.
Public authority
Public authorities include:
Government departments
Local authorities
The NHS
State schools
Police forces
However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.
Anyone can ask for any information that is held by a public authority. However, this does not mean you are always obliged to provide the information. In some cases, there will be a good reason why you should not make public some or all of the information requested.
Publishing Information
As well as responding to requests for information, organisations must publish information proactively. The Freedom of Information Act requires every public authority to have a publication scheme, approved by the Information Commissioner’s Office (ICO), and to publish information covered by the scheme.
The scheme must set out your organisation’s commitment to make certain classes of information routinely available, such as policies and procedures, minutes of meetings, annual reports and financial information.
For a request to be valid under the Freedom of Information Act it must be in writing, but requesters do not have to mention the Act or direct their request to a designated member of staff.
It is good practice to provide the contact details of your freedom of information officer/team (which is on your organisation's website), but you cannot ignore or refuse a request simply because it is addressed to a different member of staff. Any letter or email to a public authority asking for information is a request for recorded information under the Act.
This doesn’t mean you have to treat every enquiry formally as a request under the Act. It will often be most sensible and provide better customer service to deal with it as a normal customer enquiry under your usual customer service procedures.
Session Summary
Key Points
We all have a duty to protect public information in a safe and secure manner
Data security can be broken down into three areas: confidentiality, integrity and availability
To make sure you comply with the law you must know and comply with any freedom of information policies and protocols that your organisation has in place, as well as other related legislation such as the Data Protection Act
Make sure information is shared in a secure way and that you have consent to do so. Give individuals an opportunity to check the accuracy of information and records held to enable any mistakes to be corrected
By following good practice, you can help to ensure that patient/service user information is not put at risk
Good data security is important and we are all bound by legal requirements to protect health and care information
Next Steps
Continue to the Data Security Awareness eAssessment. This should be completed to demonstrate the required knowledge and understanding and to complete the training. Remember to also familiarise yourself with local procedures.