The Freedom of Information Act 2000 and data retrieval

Find out what the Freedom of Information Act 2000 requires in terms of data retrieval and how to use an FoI request to improve data classification in your storage systems.

The Freedom of Information Act 2000 allows members of the UK public to make information held by government bodies and some other types of organisations freely available. But, what does a Freedom of Information Act 2000 request require of an organisation in terms of data retrieval, and how can the request process be used to improve your storage systems?

In this interview, Bureau Chief Antony Adshead speaks with Mathieu Gorge, CEO of Vigitrust, about the process of responding to a Freedom of Information Act 2000 request and how you can turn the process to your advantage.

Listen to the podcast on data retrieval for Freedom of Information Act 2000 or read the transcript. 

Play now:
Download for later:

The Freedom of Information Act 2000 and data retrieval

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As What does a Freedom of Information Act 2000 request require in terms of data retrieval from storage systems?

Gorge: First of all, we need to go back to the definition of the act. The Freedom of Information Act [2000] gives people—individuals and businesses—a general right of access to information that’s held by most public authorities. It’s aimed at promoting a culture of transparency and accountability across the public sector in the UK. It enables a better understanding of how public authorities carry out their duties.

So, if you are a public authority and a request is submitted to you, the first thing to do is to make sure you have to answer it. There might be exceptions, meaning that you may not need to answer the request—for instance, if the request is “vexatious” or a repeated request as defined by the Information Commissioner’s Office (ICO) or if the request is really not aimed at protecting information in the general interest of the public or national security.

So, once you have established you need to answer it, then comes the technical challenge of finding the data.

The first question is, Do you have the data? [You may] no longer have it because under your disposal policy, you have had to get rid of it—for instance, to comply with Data Protection Act 1998 regulations.

Let’s say you do have the data. You now need to locate it, physically or logically. Once you know where the data is, you then need to access it, and at that stage comes the challenge of access rights, especially if the data is encrypted, whereby you need to make sure that you have the right key management system to decrypt the data at that stage.

It’s important to know as well that you need to be able to publish information responding to individual requests under [what are] known as publication schemes. The ICO has published some very good FAQs: one for applicants, people who want information, and there’s another one for public authorities to help them to prepare for such requests.

Freedom of Information Act 2000 requests will ask you to provide information on how monies are being spent, the current status of work being performed by the authority, the decision making process, the policies and procedures being used, and the lists and registries that might be used in the process.

And so as you can imagine, you need to be able to classify those assets. The information classification scheme within your organisation becomes critical to be able to manage the information and to manage the requests. How can you use a Freedom of Information Act 2000 request to improve your storage systems?

Gorge: [Dealing with a Freedom of Information Act 2000 request] provides you with the opportunity to classify your information better … by types of usage. Once you know what information is going where, you can put in place a strategy that allows you to very quickly and cost-effectively access that information at a logical level and at a physical level.

Bear in mind that if your information is only held in paper form, you will need to scan it and then be able to provide it to whoever submitted the request.

I spoke earlier about organisations maybe using their deletion policy to make sure that they comply with other regulations or industry frameworks, so it is a case of being able to make sure you know where your information is.

That leads onto training staff in how to use storage systems the right way. That will cover points such as, How do I give access to the data, to the right people, in a timely and efficient manner?

So, altogether, using the [Freedom of Information Act 2000] request to improve your storage systems will allow you to reduce your data management costs and also to get greener while becoming compliant.

Another thing to bear in mind is that there is a cost implication in dealing with these requests, and so the ICO has set limits, which are £600 for a government department and £400 per request for a local authority. The ICO has also set a time value of £25 per hour, which means that for a government department it is eight hours per day or a maximum of three days per request and for a local authority 2.25 days to be within that cost.

That means you need to have the right process in place to get as much information to comply with the request within those short time frames.

The act says that if you can’t get the information within that time, you can pass on the cost to the entity that has requested the information. They may or may not agree to the cost and may drop the case, but in most cases the authority will cover that cost because it doesn’t really look good not to proceed with a Freedom of Information Act 2000 request. So, what some authorities do is provide as much information as possible within that time and budget, or they cover the difference.

It all goes back to being able to access data on your storage systems the right way. So, it’s a mix of logical and physical access to the information, which goes back the data classification framework that every organisation needs to have in place.

Read more on Data protection regulations and compliance