- Routinely make information available to the public under the model publication scheme.
- Respond appropriately to freedom of information requests from the public.
- Make sure to respond to FOI requests within 20 working days.
- Respect patient confidentiality and data protection law.
Freedom of information law
Freedom of Information (FOI) aims to make public bodies more accountable and increase public confidence.
The Freedom of Information Act 2000 applies to information held by public authorities in England, Wales and Northern Ireland, as well as UK-wide authorities based in Scotland. The Freedom of Information (Scotland) Act 2002 applies to public bodies in Scotland.
Under the law, public bodies, including GP practices, must:
- proactively publish and update information about their activities
- respond to requests for information from members of the public.
Making information available
You must produce a guide to information (a publication scheme) which sets out:
- what information you routinely publish
- how this information can be accessed (ideally, it will be available on your website)
- what charge, if any, will be made for access to the information
- contact details, so people can request information.
There should be a process for reviewing and updating published information.
Certain information is exempt from FOI, notably where disclosure is prevented by law, and confidential personal information. Exceptions are also made for information which is still in draft form or archived/difficult to access. Seek MDU advice if you are unsure.
England, Wales and NI
The Information Commissioner's Office (ICO) expects you to adopt its model publication scheme and has published guidance and a template for GP practices and healthcare bodies. It covers seven types of information:
- Who we are and what we do – doctors in the practice, contact details, opening hours and other staffing details.
- What we spend and how we spend it (current and previous financial year) – total cost to the PCO of contracted services, audit of NHS income.
- What our priorities are and how we are doing (current and previous year) – plans for developing and providing NHS services.
- How we make decisions (current and previous year) – records of decisions made in the practice affecting the provision of NHS services.
- Our policies and procedures (practices should state if policy is 'not held' as well as listing any additional ones) – policies, protocols and procedures concerning the employment of staff; delivery of services; equality and diversity; health and safety; complaints; and records management (eg retention and destruction), data protection, the handling of requests for information, the patients' charter.
- Lists and registers – it is unlikely that practices will have any publicly available register or list and the ICO advises that 'none held' can be entered here.
- The services we offer – current NHS services provided and any charges, information leaflets and out-of-hours arrangements.
The Scottish Information Commissioner (SIC) has also produced a model publication scheme and general guidance for public authorities. Both are available on its website.
Although similar in scope, the Scottish scheme has nine classes of information. It is highly recommended but not compulsory and you are expected to notify the SIC when you first adopt it.
Responding to requests for information
Under FOI, you must respond to all requests for information from the public and release information unless you have a good reason not to.
The ICO and SIC have produced good practice guidance on what to do if you receive a request, which is summarised below:
- Check it meets the criteria for a valid FOI request. It should be in writing, include the requester's real name and a correspondence address, and describe the information concerned. The ICO says requesters do not have to ask for a specific document (although they may do so), eg they may ask a question about a particular topic.
- Even if the request is not valid, you cannot ignore it. You still have an obligation to provide advice and assistance, which would usually involve telling them how to make a request under FOI.
- If the person is asking for their own personal data, you should deal with it as a subject access request under data protection law.
- Seek clarification as soon as possible if you are unsure what the requester wants.
- Respond to requests within a maximum of 20 working days.
- Inform the applicant of any charges and obtain their agreement. The ICO says charges should be 'justifiable, clear and kept to a minimum'. Legitimate charges might include photocopying and postage.
- If you hold the information, you should normally send it to the applicant using the means they have requested (email, post).
- Redact any sensitive personal information from documents before sending and seek professional advice if necessary.
Refusing a request
There are limited circumstances in which you can refuse an FOI request:
- You do not hold the information – the ICO expects you to have made an adequate, documented search and will consider how thorough you have been in the event of a complaint. If you know the information is held by another authority, you should verify this and advise the applicant.
- The information is exempt, eg it is confidential data about a patient.
- It would cost too much or take too much staff time to deal with the request.
- The request is vexatious. Take care, as you cannot label a request as vexatious because you believe it has little value or you don't like the way it has been made. However, you can take into account the context and history of a request, including the identity of the requester and your previous contact with them. The ICO says: 'The key question to ask yourself is whether the request is likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation.'
- The request repeats a previous request from the same person.
If you are refusing an FOI request, send the applicant a written refusal notice explaining why their request is being refused and citing the relevant provision of the FOI Act. You should also give details of your complaints procedure and their right to complain to the ICO. However, you should keep a record of the reasons for your decision, as you may be required to justify it. Seek MDU advice if you are unsure.
If an applicant is unhappy with the way you have managed their request, it is good practice to review it. A review should be carried out by someone senior, who was not involved in responding to the original request. It should usually take no longer than 20 days.
Enforcing FOI law
You may be breaching FOI law if you do any of the following:
- Fail to respond adequately to a request for information.
- Fail to adopt the model publication scheme (in England, Wales and NI), or do not publish the correct information.
- Deliberately destroy, hide or alter requested information to prevent it being released. This is considered a criminal offence in the Act.
Compliance with FOI law is enforced by the ICO or SIC, depending on jurisdiction. They have powers to:
- Serve information notices, requiring you to provide the specified information within a certain time period.
- Serve enforcement notices where there has been a breach of FOI law, requiring you to take (or refrain from taking) specified steps to comply.
- Issue recommendations, eg improving staff training.
- Issue decision notices detailing the outcome of a complaint investigation.
- Prosecute those who commit criminal offences under the Act.
You have a right to appeal against decisions by the ICO/SIC, but you should obtain expert legal advice.
This guidance was correct at publication 21/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.