While I’m still doing plenty of GDPR-related things, just lately I’ve been much more involved with the Freedom of Information Act (FOIA). While this is something that mostly affects the public sector, it occurs to me that there are lessons from working with the Act that apply to all organisations.
A number of nations have introduced Freedom of Information laws to promote transparency in government and other public services. The United Kingdom’s version is the Freedom of Information Act of 2000 (unless you’re in Scotland, in which case it’s the Freedom of Information (Scotland) Act of 2002). Of course, nobody wants to make this TOO easy, so there are also the Environment Information Regulations of 2004 to cover requests for information about environmental matters… but for now let’s just talk about the FOIA (2000). You can have too much of a good thing, after all.
Now, if you’re in the private sector you might be tempted to skip this entire post: FOI only applies to public bodies, right? Well, bear with me. For a start, no, that’s not quite right. And besides, I have a broader point to make that applies to all organisations, both public and private.
So, what will I take away from an intensive few months of working with FOIA? Three things:
It’s a growth area. People are increasingly aware of their rights under FOIA and are far more willing to exercise them than they were ten or even five years ago. I’ve been working in Higher Education these past few months – from a quick benchmarking exercise, I would estimate that FOI requests in the sector are increasing by about 20% year on year. Public authorities that once had maybe just the one information officer now need to have a team.
Even if you’re a private company you can be obliged to provide information under the Act. This is a contentious area: the Information Commissioner’s Office (ICO) has made no secret that it wants the scope of the Act extending to private companies performing outsourced work for public bodies. At the moment such companies are not subject to FOI requests themselves – however, the public body responsible for the outsourcing IS obliged to disclose information “held on their behalf” by a private organisation.
How does this work? Well, here’s an example: let’s say a local council outsources an IT project to a contractor, who in turn uses sub-contractors. A member of the public puts in an FOI request to the council asking to see evidence of ISO9001 certification for all the companies working on the project. Is the council obliged to ask the main contractor for this evidence and then disclose this information? If the tender put out by the council stated that all sub-contractors must be ISO9001 certified then yes, it is. The council required the main contractor to gather ISO9001 evidence for its sub-contractors, meaning the information IS being held by that company “on behalf of” the council.
However, if the main contractor gathered such evidence of their own accord but there was no such requirement stated by the council, then the information is NOT being held “on behalf of” the council: the council would not be obliged to obtain it and disclose it in responding to the FOI request.
As you can imagine, there’s room for interpretation here (and that’s without considering the exemptions that can be used to not disclose information – for instance, Section 43 of the Act allows information to be withheld if it constitutes a trade secret or may prejudice commercial interests). If you’re a private company doing work for a public body, you should make sure you understand the Act well enough to know when it applies to you and when you can argue that is doesn’t. And when it DOES apply to you, have the ability to retrieve and supply the information within the statutory 20 working days.
Which brings me to my final point…
Nobody knows more about your organisation than your information management people. Even if FOIA doesn’t (usually) apply to an organisation, the data protection laws do. A small business needs to have someone who deals with Subject Access Requests, data protection compliance and data breaches: in larger companies this will probably need a dedicated team.
Believe me, nobody knows how to get operational information about your business like these people do. They know who in HR can access job interview notes, they know who in Finance can pull reports together quickly, they know who in Procurement can get their hands on tender evaluation scores. They know just how well (or otherwise) your various systems talk to each other (ask them how many places they need to check if they receive a Subject Access Request: if the list is quite long, you maybe need to think about integrating your management information systems). They will also be painfully aware of where your organisation is falling down when it comes to looking after the information it holds.
If you are starting as a senior manager in a new organisation, pop along and pay your information management people a visit. They probably don’t realise it, but, alongside their day job of compliance and data governance, they sit at the heart of a network of people who know how to find things out and make your information systems work. And if your information systems DON’T work, they will know – and have a fair idea what needs to improve.
Note down their list of useful contacts, buy them a coffee and maybe even move them out of the basement. You won’t regret it!