Revised S.45 Code of Practice under FOI

Filing records

GDPR has taken the limelight from other information governance legislation especially Freedom of Information.  In July 2018, the Cabinet Office published a new code of practice under section 45 of the Freedom of Information Act 2000(FOI) replacing the previous version.

In July 2015 the Independent Commission on Freedom of Information was established by the Cabinet Office to examine the Act’s operation. The Commission concluded that the Act was working well. It did though make twenty-one recommendations to enhance the Act and further the aims of transparency and openness. The government agreed to update the S.45 Code of Practice following a consultation exercise in November 2017.

The revised code provides new, updated or expanded guidance on a variety of issues, including:

  • Transparency about public authorities’ FOI performance and senior pay and benefits, to mandate the FOI Commission recommendations for greater openness in both areas.
  • The handling of vexatious and repeated requests. The FOI Commission specifically recommended the inclusion of guidance on vexatious requests.
  • Fundamental principles of FOI not previously included in the code, e.g. general principles about how to define “information” and that which is “held” for the purposes of the Act.

In the latter section the code makes a number of interesting points:

  • Information disclosed as part of “routine business” is not an FOI request. Section 8of the Act sets out the definition of a valid FOI request. Judge for yourself if this advice is accurate.
  • Information that has been deleted but remains on back-ups is not held. This goes against a Tribunal Decision as well as ICO guidance.
  • Requests for information made in a foreign language are not valid FOI requests. Again refer to section 8 above. It does not say a request has to be in English!

The code is not law but the Information Commissioner can issue Practice Recommendations where she considers that public authorities have not complied with it. The Commissioner can also refer to non -compliance with the code in Decision and Enforcement Notices.

As well as giving more guidance on advice and assistance, costs, vexatious requests and consultation, the code places new “burdens”:

  • Public authorities should produce a guide to their Publication Scheme including a schedule of fees.
  • Those authorities with over 100 Full Time Equivalent (FTE) employees should publish details of their performance on handling FOI requests on a quarterly basis.
  • Pay, expenses and benefits of the senior staff at director level and equivalents should be published quarterly. Of course local authorities are already required to publish some of this information by the Local Government Transparency Code.
  • The public interest test extension to the time limit for responding to an FOI request (see S.10(3)) should normally be no more than 20 working days.
  • Internal reviews should normally be completed within 20 working days.

Furthermore, the other S.45 Code covering datasets has been merged with the main section 45 Code so that statutory guidance under section 45 can be found in one place. There is also an annex explaining the link between the FOI dataset provisions and the Re-use of Public Sector Information Regulations 2015.

Public authorities need to consider the new code carefully and change their FOI compliance procedures accordingly.

We will be discussing this and other recent FOI developments in our forthcoming FOI Update webinar.

Free Information Governance Briefings for the Health Sector

FreeIGBriefing

Act Now Training is pleased to announce a series of free Information Governance briefings for the health sector.

The IG landscape has changed dramatically in a relatively short space of time. Healthcare professionals are facing new challenges in the form of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the Data Security and Protection Toolkit.

In each free briefing, we will explain what these changes mean in practical terms and dispel some of the myths associated with the new legislation. Time has been allocated for questions, discussion and networking. Participants will leave with an action plan for compliance.

These briefings are ideal for Information Governance Leads in General Practices, pharmacies, Clinical Commissioning Groups, dentists, care homes and other healthcare providers.

The speakers are Ibrahim Hasan, a solicitor and director at Act Now Training, and Craig Walker, Data Protection Officer at St Helens and Knowsley Hospitals NHS Trust. Both are well-known experts in this field with many years of experience in training and advising the health sector. Other members of the Act Now team will also be on hand to answer participants’ questions over a complimentary lunch.

Agenda

9.45am – Registration

10am – Start

  • The General Data Protection Regulation (GDPR) and the health sector
  • Data Protection Act 2018 – What does it mean for me?
  • Data Security & Protection Toolkit – Overview and summary of key changes
  • National Data Guardian (10 Data Security Standards) – What are they and why are they so important?
  • Data Protection Impact Assessments – When and Why?
  • Subject Access Requests – Looking at separating the facts from fiction – to charge or not to charge
  • Data Breach Prevention – What can we do to minimise the likelihood of breaches occurring
  • Cyber Security Basics – What to be on the lookout for
  • The role of the Data Protection Officer – Do I need one and what is their role?

12.00pm – Open Forum and Lunch

There are limited places available on each briefing so please book early to avoid disappointment.

These briefings are part of a series of courses specially designed for the health sector. This includes our GDPR workshops and the Certificate in Information Governance.

 

%d bloggers like this: