Guidance On Legislation Relating To Access-To-Information
On 1 January 2005, new legislation came into force that provides members of the public with a right of access to recorded information held by Government and Public Authorities. This document outlines a framework within which the University can operate effectively whilst ensuring compliance. All staff must be aware of existing legislation, and understand that information which is requested, and consequently disclosed, may be information that has been generated or received by them.
There are two related access-to-information legislative regimes; the Freedom of Information Act (2000) (FoIA), and the Environmental Information Regulations (2005) (EIR). The Data Protection Act (1998) (DPA) also provides individuals with a right of access to their own personal data.
Whilst these pieces of legislation differ slightly, they all aim to increase openness and accountability within government and public sector authorities, by imposing obligations upon these bodies to proactively publish information, and to respond to information requests.
The FoIA and the EIR are both supported by Codes of Practice, which provide best practice and implementation guidance.
A brief outline of the different pieces of legislation
The Freedom of Information Act (2000) (FoIA)
Provides a right of access to all ‘recorded’ information, subject to specific, limited exemptions. Information must be published proactively through a publication scheme, and provided in response to an information request.
- The publication scheme is a guide to all the information the University is committed to publish routinely. It has 9 different classes of information, is located on the website, and acts as a ‘navigation tool’ to help the public find information about the University. See our Publication Scheme: http://www.lboro.ac.uk/admin/ar/policy/foi/Schemeindex.html
- A freedom of information request is any request for information, which must be made in writing (includes emails), and which states the name of the applicant and an address for correspondence. The information requested must be clearly described, but there is no need for the applicant to mention the Freedom of Information Act, or explain why the information is being requested. The University has 20 working days to locate, retrieve and communicate the information in response, subject to specific, limited exemptions.
The Environmental Information Regulations (2005) (EIR)
Provides a right of access to all recorded environmental information, subject to specific, limited exceptions, through proactive publishing and information requests.
- The definition of environmental information is very broad and includes information on the state of elements of the environment, the state of human health and safety, conditions of human life, the food chain, cultural sites and built structures, substances, energy, noise, radiation or waste, emissions, discharges and other releases into the environment, measures, policies, plans, programmes and environmental agreements and any cost benefit and other economic analysis used in environmental decision-making.
- Under the EIR, information requests can be made by any reasonable means of communication; e.g. in writing, by email, verbally over the telephone or during a meeting. University staff are advised to write down any requests that are received verbally to facilitate monitoring. Note that the applicant does not need to mention the Environmental Information Regulations or explain why the information is being requested. The University has 20 working days to locate, retrieve and communicate the information in response, subject to specific, limited exceptions.
The Data Protection Act (1998)
Provides individuals with a right of access to recorded information about themselves (their personal data) through subject access requests, but protects against the inappropriate disclosure of personal data to third parties.
- Personal data covers a wide range of information and is defined in the Act as “data which relate to a living individual who can be identified from those data”. The definition includes expressions of opinion of, and/or an organisation’s intentions with regard to, the individual. The Act covers personal data held in any format, electronic (including websites and emails), paper-based, photographic, or any other means from which an individual's information can be readily extracted.
- A subject access request must be made in writing (includes emails), state the name of the applicant and an address for correspondence. In addition, the applicant must provide some form of identification (e.g. passport, driving license, staff/student ID card). The information requested must be clearly described, but there is no need for the applicant to mention the Data Protection Act, or explain why the information is being requested. The University has 40 calendar days to provide the information, subject to specific, limited exemptions, and may, at its discretion, charge a standard fee of £10.
- Organisations must ensure that information about individuals is collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully, according to the Data Protection Principles. See the University Data Protection Policy.
How the University complies with legislation
- proactively publishes as much information as practicable on the website and through the Publication Scheme;
- responds to requests for information within the specified time limits;
- releases all information in response to requests for information except where an exemption/exception legitimately applies;
- makes information available free of charge wherever possible, and only applies reasonable charges, according to the relevant legislation and Fees Regulations*;
- handles requests for information professionally and in accordance with the Codes of Practice issued under section 45 of the FOIA and Regulation 16 of the EIR, providing advice and assistance to applicants;
- consults, wherever possible, with third parties (organisations or individuals) when a request for information includes information relating to them and/or University business activities with them;
- transfers requests where appropriate, to another authority, in accordance with the Codes of Practice issued under section 45 of the FoIA and Regulation 16 of the EIR;
- manages its records in an organised and efficient way.
* Statutory Instrument No 3244: The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004.
The University must comply with legislation. The Registrar has ultimate responsibility for ensuring that sufficient support and guidance is provided to all staff within the University. Complaints that are received by the University, following an insufficient response to an information request are monitored and may be reported to the Registrar for further investigation (see the Complaints Procedure). The Registrar would deal with any disciplinary procedures that may consequently arise.
It is the responsibility of all Managers to ensure that their area is compliant with legislation. This may involve:
- disseminating information about the legislation, to raise staff awareness
- motivating appropriate staff to attend specific training sessions
- identifying key contact people within their area (e.g. the Freedom of Information / Data Protection Advisors)
- clarifying within their area how staff should deal with requests for information they receive
- ensuring new members of staff receive adequate induction in this area
The Freedom of Information Officer
It is the responsibility of the FoI Officer to:
- raise awareness about the FoI Act and to promote compliance
- provide specific training sessions about the FoI Act
- provide advice and guidance to all staff who deal with requests for information
- ensure exemptions/exceptions are applied consistently, and only when relevant
- respond to any complaints that are received
- monitor the number of requests and complaints received.
The Data Protection Officer
It is the responsibility of the Data Protection Officer to
- provide advice and guidance to all staff who process personal data
- assist staff when responding to Subject Access Requests
- promote compliance with the University Data Protection Policy through specific training
The Freedom of Information / Data Protection Advisors
Advisors within each department/section act as an initial point of contact for staff. It is their responsibility to:
- liaise with the FoI & Records Manager / Data Protection Officer when responding to complex requests for information so that exemptions/exceptions are applied consistently
- attend relevant training provided by the FoI & Records Manager / Data Protection Officer
- promote compliance and disseminate relevant information to staff in their department/section
Every member of staff must:
- be aware of existing legislation, and where necessary undertake further training (opportunities and advice will be advertised)
- on receipt of an information request, respond appropriately, according to the supporting guidance issued
- seek advice from their Freedom of Information / Data Protection Advisors when necessary
- ensure that personal data are processed according to the Data Protection Act
- ensure that records for which they are responsible are maintained and disposed of in accordance with University policy and guidance. This will ensure that, when a request for information is received, the time taken to collate, retrieve and process the information will be kept to a minimum.
Various guidance notes and leaflets are available to assist staff in complying with legislation:
- Leaflet 1: Facts about the Freedom of Information Act
- Leaflet 2: How to deal with an Information Request
- Guidance Note 1: Differences in Access-to-Information Legislation
- Guidance Note 2: The Interaction between the Freedom of Information Act and the Data Protection Act
- Guidance Note 3: Exemptions under the Freedom of Information Act
- Guidance Note 4: Exceptions to the duty to disclose environmental information under the Environmental Information Regulations
Freedom of Information Act (Including Environmental Information Regulations and Records Management)
- Freedom of Information Officer, Registry, firstname.lastname@example.org
Data Protection Act
- Data Protection Officer, Registry, email@example.com