Presentation to the North West Data Protection/Freedom of Information Group

FOI 2005 and Beyond

18th May 2004

Email: sfwilliams@demosprotocol.co.ukTel: 01432 265782

www.demosprotocol.co.uk

© Copyright Demos Protocol 2004

Demos Protocol

Presentation Content

1. Assumptions & Aims

2. Sources of Guidance

3. Potpourri of Risks & Issues• strategic information management & FOI

• 2 stages of implementation

• policy components

• FOI & service delivery

• structural options

• other policy issues

• fees

• FOI skills

• outputs & monitoring

• risk management

Assumptions

• Mixed Authorities by Sector, Size & Outlook

• Participants vary by:– role, (FOI & DP Specialists, Knowledge & Information

Managers, Administrators, lawyers) – knowledge – & how far preparations have progressed

• At least aware of Act, 2 Codes & MAPs and compliance advice on Commissioner’s web site

Aims

• Questions & discussion points not definitive solutions

• Mixture of key issues & matters not covered elsewhere

• Not a comprehensive risk analysis or implementation guide

Useful Sources of FOI Guidance

• Information Commissioner• Department of Constitutional Affairs• JISC list serve• JISC (Records Management Web Pages)• Public Records Office• NHS FOI website• LGA & Constitution Unit Guides• Scottish Executive Training Manual• E-Govt TV • Electronic Service Delivery Web Site• THE FREEDOM OF INFORMATION ACT

Strategic Management

Leadership

Policy & Process

Coordination Culture

Responsibilities o FOI o RM

FOI Procedures Centralisation/ De-

centralisation Exemptions Fees

Staff

Awareness Training

Manager Training

Practitioner Training

Technical Applications Training

Information

Information Audit

E-Govt Data Standards

RM Standards Business

Classification Scheme

Business Process Requirements/ Engineering

Technology/ Functionality

Records Management

Document Management

Content Management

Email Archive Storage Request

Tracking C.R.M

Integrating Knowledge Management

Knowledge Management – Integrating Business Design & Compliance Chief Knowledge Officer – range of responsibilities Increasing integration

DPA/HRA compliance

FOI

Data Standards

Records & Information

Management

Business design & e-

business action plans

Customer relationship

management

IS/IT Strategy

Analytical, research &

statistics services

Research &

evaluation to feed into

decision making

PIU Report on Data Sharing

Business Drivers

• Faster Access to information• Better informed decisions• Facilitates e-govt and electronic service delivery• Improved customer service• Reduce waste from ephemera & duplication• Online services dependent on knowing what information you hold• CRM – accessing information in legacy systems• Demonstrates commitment to openness & accountability• Staff morale

• Business needs & fit with information strategy will influence level of technological investment

• Full fit with modernising govt agenda• But to maximise benefits systems need to be integrated• Colleges and smaller public authorities will need to assess costs &

benefits

Staged Implementation

• Need a clear vision of where you want to get to in terms of knowledge management & business change

– Records Management– Document Management– Content Management– Email Archive– Storage– Request Tracking– C.R.M

• Need to know what is achievable by January 2005– Clear policy– Mapping Information & Record Sets– Responsibilities– Detailed procedures for handling requests– Guidance & Training

FOI Policy Components

• Describe how FOI compliance will be managed• Needs to make connections to information/knowledge management strategy• Needs to identify & allocate responsibilities in terms of:-

– How capture & store information = RM Policy & Standards– How requests are identified and processed = FOI & Environmental Info procedures– Managing & Populating the Publication Scheme– Confidentiality & Contract Conditions

• Policy on Exemptions– Who decides

• Policy on Fees– Whether to apply– Application of prescribed limit– Exceptions

• Training• Outputs• Appeals & Complaints• Monitoring• Performance Management• Managing PR

Records Management – Essential Actions prior to 2005

Minimum Requirements –know what you hold –where it is – and who owns it

• Identify record sets & business purposes• Assign ownership• Ownership responsibilities

– To record minimum information necessary for business purpose & administrative law i.e. reasons for decisions where exercising discretion

– To notify Records Manager of new purposes– Identify retention periods– Identify responsibilities re locating information pertinent to an FOI request– Identify documents/information to be made proactively available under the

Publication Scheme– Restructuring documents for FOI

• Guidance– On recording relevant information communicated in non permanent form

• Notes of meetings/case conferences• Telephone discussions

Records Management Policy

– Email• Policy for including relevant emails in business record

• Management of In & Outboxes –automatic deletion options etc.

– On how to define & manage ephemeral records

FOI Policy Issues

Relationship between FOI & Service Delivery

• Unlike Canadian experience no divide between FOI and other information requests

• All written requests that meet the eligibility criteria governed by Act & Code

• All other enquiries & requests subject to duty to provide advice & assistance

• Provision of information in response to requests is an integral part of service delivery

• So the Act cant be met just by having a centralised & formal FOI Unit

• Need to ask what it means for normal service delivery

• FOI needs to enhance service delivery not get in its way

Relationship between FOI & Service delivery

• The issues – – If all requests for information are potentially caught in what

circumstances can services continue to process requests for information themselves?

– And what needs to change to make that possible?

– Obverse - When do requests need to be processed through formal procedure?

• To put the question another way what needs to change to reflect the move from the current situation where services work on a presumption of non disclosure and the need to know to one where there is a presumption in favour of the right to know?

When can services process requests for information in the normal course of business?

• When the request for information can be fully complied with either by reference to published documents or by response

• Where the policy is to charge fees for FOI requests policy & procedures identify where information is disclosable in a service context outside the fees regime

• Where management controls are in place that ensure that information disclosed across different requests is accurate and consistent

Safeguards• Written procedures clarify what information staff can routinely disclose in their

normal course of activity and ensure they know what to do when requests or enquiries cover other matters

• If the disclosure contains personal information written procedures identify the types of information that can be disclosed to whom and in what circumstances, how the disclosure is to be recorded and the security measures to be applied to guard against unauthorised & inappropriate disclosure

• Security markings and access controls applied to information• KEY MESSAGES – recognise requests - be helpful –don’t say no –seek help &

advice if not sure

What else needs to change?

• Requests for information & responses need to be recorded?• Services must be aware of duty to give help & assistance to enquirers• All requests for information need to be responded to within 20 day response period• Allocating & responding to written correspondence needs clear targets & needs to

be measured and managed • Email correspondence needs to be properly managed to same standards as

written correspondence• Protocols for handling telephone calls including responding to requests to call• Do service complaint procedures need to comply with timescale requirements of

FOI? – many complaints include an information request element• All these service requirements need to take account of problems caused by

overload, holidays and sickness• All published documentation should include appropriate reference to the publics

rights to information & help & assistance

When do requests need to be referred to a formal process?

• When a refusal is contemplated on any basis– The information is not held

– In reliance on any exemption

• Where a response needs to be co-ordinated between service units

• Where request is a formal subject access request• Where guidance is required on duty of confidentiality• Where the request is for the disclosure of personal information

not covered by written procedures

Structural Options for Handling Requests

• Recap - need to define in what circumstances services can process requests for information in normal course of business and what determines when a request for information needs to go through a formal process

• But in very large organisations (Counties & Unitaries) will be further structural options for formal processes

• Can have a tiered approach where some departments can process requests that relate solely to their departments

• Could escalate to central team where requires difficult judgments about confidentiality, what is or is not personal information/redaction & public interest

• E-Govt TV presentations mentions idea of information agents in each section who are trained in all aspects of information management & act as FOI contacts

FOI Decisions

• Limited number of exemptions that will have practical application outside central government

• The Policy will need to identify who decides whether an exemption applies

• If a distributed approach applies mechanisms will be needed to ensure these are applied consistently

• Inconsistency will be apparent if FOI request information is published

• Releases will have implications for services. The Policy should address:-

– how service managers are kept in the loop– how controversial issues can be escalated– where there is an option, the process for determining whether an

exemption should be relied on– How PR implications will be managed (consistent with the

confidentiality of a request)

Policy on Fees

• Policy Decisions– Whether to charge fees for prescribed costs– At or below the prescribed fees– How prescribed costs will be calculated (whose time at what rate/costs

of format)– Whether to comply with requests that exceed the prescribed limit– What charges to apply (at or below actual cost) to requests that exceed

the prescribed limit– Whether to aggregate fees if part of a campaign– When will fees be exempted or reduced (Community Group, Press?)– How does the fees regime apply to service users

• Considerations of natural justice• What would the Ombudsman have to say about too rigid an application?

– What stage to issue fees notice (actual or estimate)?– Need to align fees policy with wider objectives and monitor impact

Fees Rules

• Prescribed costs covers the costs of determining whether PA holds the information, in locating and retrieving such information and includes any costs including staff time in giving effect to the preferences of applicant as to form (i.e. electronic/photocopy)

• Prescribed cost allow you to make a reasonable estimate

• Disbursements cover cost of informing applicant whether hold information and costs of communicating information to him

• Not allowed to charge for costs of considering application of exemptions

Work before Fees are estimated & Received

• Before fees can be estimated some of the questions that will need answers include:– Is the information known to exist?– Is it available by other means?– Are file locations known?– Is the question answered by providing a document(s) or is it buried amongst a lot of other

information and will need to be extracted?– How long will that take?– How will you know that you have all the relevant information?– Is the information in the format requested?– Can the format be changed?– Will the change take the fees above the prescribed limit?– What options are there to bring fees within limits?– What are the disbursement costs?– Does the Authority’s policy on fees mean that fees should be waived or reduced? (Community

Group, Press, Service User?).

– What does the Authority’s Policy on Fees say about aggregating fees if the request is part of a campaign?

• In some cases it will be difficult to estimate reasonable costs in advance of isolating, extracting & reviewing all of the relevant information.

Summary Fees Estimation Flow Diagram

Request Received

Request further information/ narrow focus of enquiry

Start clock Confirm to applicant if changed

Receive confirmation

Validity Test

Is the information known to exist?

No Consult indexes & staff

No information held

Advise applicant/ consider referral

Information held

Are all file locations known?

No Identify file locations

Continue work on exemptions if estimate exceeds time remaining on 20 day clock

Estimate time required to consider likely exemptions/ redact docs

Fees Notice to Applicant (Advice about lower of estimate or actual?)

Estimate prescribed costs & Disbursements

Yes Cost within prescribed costs

No

Consider if 3rd party consultations likely

Consult if appropriate

Refusal Notice & Advice

Is location within files known?

Yes

No

Yes

Yes

Retrieve files and estimate time to extract

Is the information in the format requested?

No Can it be put in the format requested?

Advise applicant of alternatives & Cost implications

Yes Yes

Will this exceed prescribed costs?

No

Yes Advise applicant of alternatives

No Stop Fees clock

Strategies for reducing Fees & Costs

• Producing paper photocopies could represent a significant proportion of the fee.

• Photocopies are relatively expensive, cost more to send out but also take up a lot of staff time.

• Including an estimate for electronic communication of information in all Fees Notices where information held electronically could increase take up, save on wasted resources and increase public confidence.

FOI Skills

• Crucial that FOI team and all those handling initial enquiries communicate culture that encouraging access is a core value and that they are there to help the enquirer

• How members of the public are treated when they contact an organisation is the single most important factor influencing what they think about the organisation

• A positive response will give them a positive experience and reduce the incidence of complaints, particularly where the organisation is unable to disclose all the information they require

• If a written application is made it will be helpful to make contact with the enquirer so that can clarify information sought and demonstrate willingness to help

• Having said that contact & the ability to request further information does provide the opportunity to shape the enquiry

• Making clear what information is readily available free of charge may mean that some choose to leave it at that

FOI Skills

• Except where requests relate simply to identifiable documents FOI officers will need to apply detection & people skills to unearth relevant information

• Even the most sophisticated & comprehensive ERDM system will not unearth all the information

• It is not a case of passively asking departments what they have– Apply intelligence & knowledge of organisation to initial review to ask where

may be located– If relates to a decision construct a decision tree– Interrogate those involved to find out who else involved (management teams,

case conferences etc.)– Interrogate documents disclosed to see if provides further links and leads– Ask to see notes as well as formal reports & correspondence– Check procedures and standards to see what should exist and compare– Query what data bases and other computer systems exist and check– Identify emails

Outputs & Monitoring

Outputs• Periodic Reviews of Publication Scheme documents• Consider web publishing information made available in response

to FOI requests• Long term vision of allocating an FOI compatible security

classification to all documents on creation and making non-restricted documents available to the public

Monitoring• Need to track each stage of requests in formal process• Analyse performance corporately, by departments and subject

matter• Performance Management reporting system

– Bi-annual reports to Management Team– Exceptions & Issues reports to departmental management teams

Risk Management

• Analyse existing complaints to identify service weaknesses– Poor correspondence response times

– Poor telephone practice

– Complaint clusters

• Analyse performance statistics on correspondence and telephone answering

• Identify areas where poor record management practice• Test system prior to 1st January in worst areas• Agree corrective action • Identify key user groups (such as press, residents & tenants) and

work out how they will be dealt with