FOI/DPA Handling and Processing

UKFPO POLICY for the HANDLING and PROCESSING of DATA PROTECTION and FREEDOM of INFORMATION REQUESTS

CONTENTS

1. Introduction

2. Data Protection

(1) Privacy policy

(2) Data protection principles

(3) Requests for personal information

(4) Making a legally compliant subject access request

(5) Requests from other agencies

(6) Request log

(7) Complaints

3. Freedom of Information

(1) Publication scheme

(2) The requests process

(3) Applying exemptions

(4) Request log

(5) Charging

(6) Complaints

1. INTRODUCTION

The Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA) both include provisions for accessing information held by public authorities.  The UKFPO is a constituent part of the four UK health departments, which are defined in the FOIA as public authorities.

The most notable differences between the DPA and the FOIA are:-

Whereas the DPA prescribes in detail the limitations on disclosure of personal data, the FOIA allows anyone, anywhere, to request “corporate” information (i.e. information that is not personal data) from a public authority.

Personal data is data that relates to an identifiable living individual (for example, a current or previous employee). An organisation may also hold “sensitive” personal data, such as information relating to an individual’s health or religion.

This policy document describes how the UKFPO will respond to and process requests for information it holds and which is covered by either the DPA or the FOIA. It has been prepared in compliance with relevant legislation and with the guidance provided by the Information Commissioner and the Lord Chancellor and Secretary of State for Justice.

The Information Commissioner publishes guidance relating to the application of this legislation.

The Lord Chancellor and Secretary of State for Justice also publishes guidance relating to this legislation at:- http://www.justice.gov.uk/

 
2. DATA PROTECTION

(1) Privacy policy
The UKFPO Privacy Statement explains how the UKFPO processes personal data and it is based on recommendations in the Data Sharing Review undertaken by Richard Thomas and Mark Walport, 11th July 2008 (Recommendation 3).  The UKFPO Privacy Statement is published, in full, on this web site. Click here to view it.

The basis of everything the UKFPO does in relation to the processing of personal data is enshrined in the DPA 1998 which established the following principles which all public authorities must follow. 

(2) Data protection principles
In complying with the eight principles in the DPA, the UKFPO will:-

i. process personal data fairly and lawfully (see our Privacy Statement)
ii. use personal data only for defined purposes
iii. only process personal data which is relevant to these purposes
iv. ensure that, where possible, personal data is accurate and up to date
v. ensure that personal data is retained for no longer than is necessary
vi. process personal data in compliance with the rights described within the DPA
vii. ensure that personal data is held securely
viii.  process personal data that it holds within the UK.

See also the UKFPO Records and Information Management Policy.

(3) Requests for personal information
Under section 7 of the DPA, any person about whom the UKFPO processes data has the right to make a Subject Access Request (SAR).

This policy describes the processes the UKFPO will follow in responding to a SAR and briefly refers to certain other rights of data subjects under the DPA.

(4) Making a legally compliant subject access request
i. A SAR must be made in writing, and for the purposes of the UKFPO must contain an original signature of the applicant.  The UKFPO will not accept a SAR by email or fax.

ii. The SAR must normally be submitted by the data subject, i.e. the person about whom the UKFPO processes the data. However, a request may also be made by a representative of the data subject but the request must also include a statement giving the data subject’s consent for disclosure to the representative.

iii. The UKFPO will always require proof of the identity of the data subject, in the form of a photocopied photo passport page or photo identity card.

The UKFPO may also take additional reasonable steps to confirm the identity of a data subject’s representative (where appropriate) in order to safeguard the information they hold.

iv. Any SAR submitted to the UKFPO must contain sufficient information to enable the organisation to identify the data/information required.

v. The UKFPO will not charge for supplying a copy of personal data.

vi. The UKFPO will provide a copy of the requested information within 40 calendar days of receiving a valid request.  Records will be posted using the Royal Mail “Recorded Signed For” ™ facility.

vii. Address for requests:-

Data Controller
UK Foundation Programme Office
Regus House
Falcon Drive
Cardiff Bay
Cardiff
CF10 4RU

(5) Requests from other agencies
UKFPO may be asked by foundation schools for personal data relating to the eligibility of a successful Foundation Programme applicant. Where applicants have indicated as part of the application process that they consent that information is disclosed, UKFPO will provide this information on request (see our Privacy Statement).

The UKFPO may receive requests for personal information from other agencies and these will only be considered in compliance with relevant UK legislation.

(6) Request Log
The UKFPO will maintain a log of requests to enable it to administer SARs. (See Appendix A)

This log will not be made available through the UKFPO Publication Scheme (see also 2. Freedom of Information, (5), below).

(7) Complaints
If you wish to complain about the way in which the UKFPO implements the DPA, you should write with details to:-

National Director
UK Foundation Programme Office
Regus House
Falcon Drive
Cardiff Bay
Cardiff
CF10 4RU

If a complaint is not resolved to the satisfaction of the complainant, they should then contact the Information Commissioner at:-

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

3. FREEDOM of INFORMATION

(1) Publication scheme
The UKFPO has adopted the model publication scheme provided by the Information Commissioner under the FOIA and has produced an appropriate definition document. The UKFPO will proactively and routinely make available on its website “corporate” information that it holds, together with relevant guidance. Click here to view our Publication Scheme)

(2) Confidentiality
Information held by the UKFPO which is of a personal and confidential nature and which would normally be exempt from disclosure under the FOIA will be excluded from the publication scheme. Additionally, other information which might attract an exemption defined in the FOIA, such as information relating to the health and safety of specific individuals, or to law enforcement, criminal, regulatory enforcement or audit issues, may also be excluded from routine or proactive publication.

(3) The Request Process
i. Requests for information which is not made available through proactive or routine disclosure but which may still be held by the UKFPO (see also DPA requests) must be made in writing to:-

Data Controller
UK Foundation Programme Office
Regus House
Falcon Drive
Cardiff Bay
Cardiff
CF10 4RU.

Email: info@foundationprogramme.nhs.uk

Requests received by letter, email or fax will be regarded as written requests.

If a request is received by phone or in person, the UKFPO will ask the applicant to confirm details of the request in writing.

ii. To enable the UKFPO to send the requested information or to seek clarification of a request, all requests should include contact details, i.e. a name and an address (the address can be either postal or email).  A request cannot be considered valid under the FOIA unless it contains at the very least a name and address for response.

iii. When a request is received, the UKFPO will send an initial reply within five working days (by letter or email, as appropriate) with the following minimum details:-
• confirmation of receipt of the request
• A request reference number assigned by the UKFPO
• A statement, if this is known at this stage, as to whether or not the UKFPO holds the information
• confirmation of the date for a final response if applicable (see vi. below).

iv. The UKFPO has a duty to “advise and assist” an applicant under the FOIA and it will, if a request is not sufficiently clear, seek clarification from the applicant at the earliest opportunity. Any request for clarification should be provided within the time limit requested by the UKFPO so that the organisation can deal with the request within the 20 day statutory deadline. If no such clarification is received, the UKFPO will make decisions about the disclosure of the information requested on the basis of such detail as is available to them.

v. If a request for information exceeds the "appropriate limit", i.e. it would cost the UKFPO more than £450 to locate, retrieve and extract the information, the UKFPO will not comply with the request (see Part l, Section 12 of the FOIA).

The UKFPO will inform the applicant of this decision and will discuss with the applicant whether the request can be amended to bring it below the appropriate limit.

vi. The UKFPO will respond, in full, to all requests within 20 working days.
For the purpose of this policy, a working day is any day other than a Saturday, Sunday, Christmas Day, Good Friday or a day which is a bank holiday in England or Wales under the Banking & Financial Dealings Act 1971.

vii. Subject to any applicable exemptions (see (4) below) the information requested will, within reason, be provided in the format required by the applicant.

(4) Applying Exemptions
The FOIA permits public authorities to consider the application of specified exemptions which may protect information from disclosure. If the UKFPO considers that an exemption from the right to disclosure applies, and, where appropriate, considers that there is greater public interest in not disclosing information than there is in disclosure, the UKFPO will document its conclusions (including the rationale applied) and provide details of this to an applicant by means of a refusal notice.

(5) Disclosure Log
i. The UKFPO will maintain a detailed log of all requests received.  An example of this log can be found in Appendix A.

ii. The UKFPO will make available a summary of this log on its website.  This summary will not identify an individual applicant by name but will include, for example, company names or media titles (e.g. newspaper or broadcaster names).

(6) Charging
i. Information which can be viewed, downloaded or printed from the UKFPO web site will be free of charge, subject to users bearing all of their own internet service provider, printing or other costs.
 
ii. If the UKFPO is asked to print documents from the website for an applicant the UKFPO reserves the right to raise a charge to cover the cost of printing, copying and postage (see standard charges below).

The UKFPO will confirm any charges to the requestor, and will not normally provide any information until these charges are paid.

Standard charges
Printing or copying, per A4 sheet – 10p
Postage - charged at cost

iii. SPECIAL NOTE - Information from the UKFPO website is subject to copyright and must not be used for commercial purposes.  The UKFPO will consider allowing commercial use of this information under the Re-use of Public Sector Information Regulations 2005 but it should be noted that any such use will require a licence and may incur a fee. Applications for re-use should be made to:-
 
Director of Strategy and Communications
UK Foundation Programme Office
Regus House
Falcon Drive
Cardiff Bay
Cardiff
CF10 4RU

(7) Complaints
i. If an applicant is dissatisfied about the way in which the UKFPO has responded to a request they must in the first instance, ask the UKFPO to review the process used and/or decisions reached.  The applicant should state, in writing, why they are dissatisfied.

ii. The UKFPO will review its processes and the decisions taken as appropriate and will write to the applicant at the conclusion of the review.

iii. If the requestor remains dissatisfied with the UKFPO response they may then complain to the Information Commissioner’s Office (ICO). The ICO will not normally deal with complaints until a review has been completed by the public authority concerned. Any complaint to the ICO must be made within two months following the final response from the UKFPO.

The contact details for the ICO are:-

FOI/EIR Complaints Resolution
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Further guidance regarding complaints can be found on the ICO web site:-

http://www.ico.gov.uk/complaints/freedom_of_information.aspx

Del.icio.us Digg Reddit Facebook Stumble Upon Follow UKFPO on Twitter