presentation to the north west data protection/freedom of information group foi 2005 and beyond 18...
TRANSCRIPT
Presentation to the North West Data Protection/Freedom of Information Group
FOI 2005 and Beyond
18th May 2004
Email: [email protected]: 01432 265782
www.demosprotocol.co.uk
© Copyright Demos Protocol 2004
Demos Protocol
Presentation Content
1. Assumptions & Aims
2. Sources of Guidance
3. Potpourri of Risks & Issues• strategic information management & FOI
• 2 stages of implementation
• policy components
• FOI & service delivery
• structural options
• other policy issues
• fees
• FOI skills
• outputs & monitoring
• risk management
Assumptions
• Mixed Authorities by Sector, Size & Outlook
• Participants vary by:– role, (FOI & DP Specialists, Knowledge & Information
Managers, Administrators, lawyers) – knowledge – & how far preparations have progressed
• At least aware of Act, 2 Codes & MAPs and compliance advice on Commissioner’s web site
Aims
• Questions & discussion points not definitive solutions
• Mixture of key issues & matters not covered elsewhere
• Not a comprehensive risk analysis or implementation guide
Useful Sources of FOI Guidance
• Information Commissioner• Department of Constitutional Affairs• JISC list serve• JISC (Records Management Web Pages)• Public Records Office• NHS FOI website• LGA & Constitution Unit Guides• Scottish Executive Training Manual• E-Govt TV • Electronic Service Delivery Web Site• THE FREEDOM OF INFORMATION ACT
Strategic Management
Leadership
Policy & Process
Coordination Culture
Responsibilities o FOI o RM
FOI Procedures Centralisation/ De-
centralisation Exemptions Fees
Staff
Awareness Training
Manager Training
Practitioner Training
Technical Applications Training
Information
Information Audit
E-Govt Data Standards
RM Standards Business
Classification Scheme
Business Process Requirements/ Engineering
Technology/ Functionality
Records Management
Document Management
Content Management
Email Archive Storage Request
Tracking C.R.M
Integrating Knowledge Management
Knowledge Management – Integrating Business Design & Compliance Chief Knowledge Officer – range of responsibilities Increasing integration
DPA/HRA compliance
FOI
Data Standards
Records & Information
Management
Business design & e-
business action plans
Customer relationship
management
IS/IT Strategy
Analytical, research &
statistics services
Research &
evaluation to feed into
decision making
PIU Report on Data Sharing
Business Drivers
• Faster Access to information• Better informed decisions• Facilitates e-govt and electronic service delivery• Improved customer service• Reduce waste from ephemera & duplication• Online services dependent on knowing what information you hold• CRM – accessing information in legacy systems• Demonstrates commitment to openness & accountability• Staff morale
• Business needs & fit with information strategy will influence level of technological investment
• Full fit with modernising govt agenda• But to maximise benefits systems need to be integrated• Colleges and smaller public authorities will need to assess costs &
benefits
Staged Implementation
• Need a clear vision of where you want to get to in terms of knowledge management & business change
– Records Management– Document Management– Content Management– Email Archive– Storage– Request Tracking– C.R.M
• Need to know what is achievable by January 2005– Clear policy– Mapping Information & Record Sets– Responsibilities– Detailed procedures for handling requests– Guidance & Training
FOI Policy Components
• Describe how FOI compliance will be managed• Needs to make connections to information/knowledge management strategy• Needs to identify & allocate responsibilities in terms of:-
– How capture & store information = RM Policy & Standards– How requests are identified and processed = FOI & Environmental Info procedures– Managing & Populating the Publication Scheme– Confidentiality & Contract Conditions
• Policy on Exemptions– Who decides
• Policy on Fees– Whether to apply– Application of prescribed limit– Exceptions
• Training• Outputs• Appeals & Complaints• Monitoring• Performance Management• Managing PR
Records Management – Essential Actions prior to 2005
Minimum Requirements –know what you hold –where it is – and who owns it
• Identify record sets & business purposes• Assign ownership• Ownership responsibilities
– To record minimum information necessary for business purpose & administrative law i.e. reasons for decisions where exercising discretion
– To notify Records Manager of new purposes– Identify retention periods– Identify responsibilities re locating information pertinent to an FOI request– Identify documents/information to be made proactively available under the
Publication Scheme– Restructuring documents for FOI
• Guidance– On recording relevant information communicated in non permanent form
• Notes of meetings/case conferences• Telephone discussions
Records Management Policy
– Email• Policy for including relevant emails in business record
• Management of In & Outboxes –automatic deletion options etc.
– On how to define & manage ephemeral records
FOI Policy Issues
Relationship between FOI & Service Delivery
• Unlike Canadian experience no divide between FOI and other information requests
• All written requests that meet the eligibility criteria governed by Act & Code
• All other enquiries & requests subject to duty to provide advice & assistance
• Provision of information in response to requests is an integral part of service delivery
• So the Act cant be met just by having a centralised & formal FOI Unit
• Need to ask what it means for normal service delivery
• FOI needs to enhance service delivery not get in its way
Relationship between FOI & Service delivery
• The issues – – If all requests for information are potentially caught in what
circumstances can services continue to process requests for information themselves?
– And what needs to change to make that possible?
– Obverse - When do requests need to be processed through formal procedure?
• To put the question another way what needs to change to reflect the move from the current situation where services work on a presumption of non disclosure and the need to know to one where there is a presumption in favour of the right to know?
When can services process requests for information in the normal course of business?
• When the request for information can be fully complied with either by reference to published documents or by response
• Where the policy is to charge fees for FOI requests policy & procedures identify where information is disclosable in a service context outside the fees regime
• Where management controls are in place that ensure that information disclosed across different requests is accurate and consistent
Safeguards• Written procedures clarify what information staff can routinely disclose in their
normal course of activity and ensure they know what to do when requests or enquiries cover other matters
• If the disclosure contains personal information written procedures identify the types of information that can be disclosed to whom and in what circumstances, how the disclosure is to be recorded and the security measures to be applied to guard against unauthorised & inappropriate disclosure
• Security markings and access controls applied to information• KEY MESSAGES – recognise requests - be helpful –don’t say no –seek help &
advice if not sure
What else needs to change?
• Requests for information & responses need to be recorded?• Services must be aware of duty to give help & assistance to enquirers• All requests for information need to be responded to within 20 day response period• Allocating & responding to written correspondence needs clear targets & needs to
be measured and managed • Email correspondence needs to be properly managed to same standards as
written correspondence• Protocols for handling telephone calls including responding to requests to call• Do service complaint procedures need to comply with timescale requirements of
FOI? – many complaints include an information request element• All these service requirements need to take account of problems caused by
overload, holidays and sickness• All published documentation should include appropriate reference to the publics
rights to information & help & assistance
When do requests need to be referred to a formal process?
• When a refusal is contemplated on any basis– The information is not held
– In reliance on any exemption
• Where a response needs to be co-ordinated between service units
• Where request is a formal subject access request• Where guidance is required on duty of confidentiality• Where the request is for the disclosure of personal information
not covered by written procedures
Structural Options for Handling Requests
• Recap - need to define in what circumstances services can process requests for information in normal course of business and what determines when a request for information needs to go through a formal process
• But in very large organisations (Counties & Unitaries) will be further structural options for formal processes
• Can have a tiered approach where some departments can process requests that relate solely to their departments
• Could escalate to central team where requires difficult judgments about confidentiality, what is or is not personal information/redaction & public interest
• E-Govt TV presentations mentions idea of information agents in each section who are trained in all aspects of information management & act as FOI contacts
FOI Decisions
• Limited number of exemptions that will have practical application outside central government
• The Policy will need to identify who decides whether an exemption applies
• If a distributed approach applies mechanisms will be needed to ensure these are applied consistently
• Inconsistency will be apparent if FOI request information is published
• Releases will have implications for services. The Policy should address:-
– how service managers are kept in the loop– how controversial issues can be escalated– where there is an option, the process for determining whether an
exemption should be relied on– How PR implications will be managed (consistent with the
confidentiality of a request)
Policy on Fees
• Policy Decisions– Whether to charge fees for prescribed costs– At or below the prescribed fees– How prescribed costs will be calculated (whose time at what rate/costs
of format)– Whether to comply with requests that exceed the prescribed limit– What charges to apply (at or below actual cost) to requests that exceed
the prescribed limit– Whether to aggregate fees if part of a campaign– When will fees be exempted or reduced (Community Group, Press?)– How does the fees regime apply to service users
• Considerations of natural justice• What would the Ombudsman have to say about too rigid an application?
– What stage to issue fees notice (actual or estimate)?– Need to align fees policy with wider objectives and monitor impact
Fees Rules
• Prescribed costs covers the costs of determining whether PA holds the information, in locating and retrieving such information and includes any costs including staff time in giving effect to the preferences of applicant as to form (i.e. electronic/photocopy)
• Prescribed cost allow you to make a reasonable estimate
• Disbursements cover cost of informing applicant whether hold information and costs of communicating information to him
• Not allowed to charge for costs of considering application of exemptions
Work before Fees are estimated & Received
• Before fees can be estimated some of the questions that will need answers include:– Is the information known to exist?– Is it available by other means?– Are file locations known?– Is the question answered by providing a document(s) or is it buried amongst a lot of other
information and will need to be extracted?– How long will that take?– How will you know that you have all the relevant information?– Is the information in the format requested?– Can the format be changed?– Will the change take the fees above the prescribed limit?– What options are there to bring fees within limits?– What are the disbursement costs?– Does the Authority’s policy on fees mean that fees should be waived or reduced? (Community
Group, Press, Service User?).
– What does the Authority’s Policy on Fees say about aggregating fees if the request is part of a campaign?
• In some cases it will be difficult to estimate reasonable costs in advance of isolating, extracting & reviewing all of the relevant information.
Summary Fees Estimation Flow Diagram
Request Received
Request further information/ narrow focus of enquiry
Start clock Confirm to applicant if changed
Receive confirmation
Validity Test
Is the information known to exist?
No Consult indexes & staff
No information held
Advise applicant/ consider referral
Information held
Are all file locations known?
No Identify file locations
Continue work on exemptions if estimate exceeds time remaining on 20 day clock
Estimate time required to consider likely exemptions/ redact docs
Fees Notice to Applicant (Advice about lower of estimate or actual?)
Estimate prescribed costs & Disbursements
Yes Cost within prescribed costs
No
Consider if 3rd party consultations likely
Consult if appropriate
Refusal Notice & Advice
Is location within files known?
Yes
No
Yes
Yes
Retrieve files and estimate time to extract
Is the information in the format requested?
No Can it be put in the format requested?
Advise applicant of alternatives & Cost implications
Yes Yes
Will this exceed prescribed costs?
No
Yes Advise applicant of alternatives
No Stop Fees clock
Strategies for reducing Fees & Costs
• Producing paper photocopies could represent a significant proportion of the fee.
• Photocopies are relatively expensive, cost more to send out but also take up a lot of staff time.
• Including an estimate for electronic communication of information in all Fees Notices where information held electronically could increase take up, save on wasted resources and increase public confidence.
FOI Skills
• Crucial that FOI team and all those handling initial enquiries communicate culture that encouraging access is a core value and that they are there to help the enquirer
• How members of the public are treated when they contact an organisation is the single most important factor influencing what they think about the organisation
• A positive response will give them a positive experience and reduce the incidence of complaints, particularly where the organisation is unable to disclose all the information they require
• If a written application is made it will be helpful to make contact with the enquirer so that can clarify information sought and demonstrate willingness to help
• Having said that contact & the ability to request further information does provide the opportunity to shape the enquiry
• Making clear what information is readily available free of charge may mean that some choose to leave it at that
FOI Skills
• Except where requests relate simply to identifiable documents FOI officers will need to apply detection & people skills to unearth relevant information
• Even the most sophisticated & comprehensive ERDM system will not unearth all the information
• It is not a case of passively asking departments what they have– Apply intelligence & knowledge of organisation to initial review to ask where
may be located– If relates to a decision construct a decision tree– Interrogate those involved to find out who else involved (management teams,
case conferences etc.)– Interrogate documents disclosed to see if provides further links and leads– Ask to see notes as well as formal reports & correspondence– Check procedures and standards to see what should exist and compare– Query what data bases and other computer systems exist and check– Identify emails
Outputs & Monitoring
Outputs• Periodic Reviews of Publication Scheme documents• Consider web publishing information made available in response
to FOI requests• Long term vision of allocating an FOI compatible security
classification to all documents on creation and making non-restricted documents available to the public
Monitoring• Need to track each stage of requests in formal process• Analyse performance corporately, by departments and subject
matter• Performance Management reporting system
– Bi-annual reports to Management Team– Exceptions & Issues reports to departmental management teams
Risk Management
• Analyse existing complaints to identify service weaknesses– Poor correspondence response times
– Poor telephone practice
– Complaint clusters
• Analyse performance statistics on correspondence and telephone answering
• Identify areas where poor record management practice• Test system prior to 1st January in worst areas• Agree corrective action • Identify key user groups (such as press, residents & tenants) and
work out how they will be dealt with