Appendix 4            Formal requests for information 2022/23

 

 

1.0     Internal reviews of formal information requests

 

1.1     Complaints regarding the final responses to Freedom of Information (FOI) and Environmental Information Regulations (EIR) Requests have their own procedure as an internal review carried out by Legal Services. For Data Protection subject access requests (SARs), the Customer Services Team (CST) reviews and responds if the customer remains dissatisfied and asks for legal support if it is particularly complex. For Data Protection related matters, customers can complain to the Council’s Data Protection Officer if they remain unhappy. For all the types of information requests, there is the option to complain to the Information Commissioner’s Office (ICO) if the customer remains dissatisfied.

 

1.2     In 2022/23, we received four requests for internal reviews, which is fewer than previous years with six requests received in 2021/22, and seven received in 2020/21. Out of the four internal reviews, Legal Services found fault with two requests (as compared to fault found with four cases out of six in 2021/22). For the two in 2022/23 where fault was found, customers were provided further information held by the Council. For the remaining two in 2022/23, no fault was found with one, and one is incomplete due to the requester escalating it to the ICO and the Council has not received instruction from the ICO. CST and Legal Services continue to work closely to identify where improvements can be made irrespective of complaints or internal reviews received in order to provide informative and helpful responses to requests for information.

 

2.0     Complaints to the Information Commissioner’s Office (ICO)

 

2.1     The ICO first serves an Information Notice to the Council requesting it reviews the complaint and tries to resolve it when a member of public makes a complaint. The CST received two information notices regarding information requests in 2022/23, compared to five in 2021/22 and one formal complaint from the ICO in 2020/21.

 

2.2     Both of the information notices received in 2022/23 were resolved and no further action by the ICO was needed. The resolutions entailed:

 

·         The ICO agreed the Council should continue to complete the internal review already underway.

·         The ICO was satisfied that the Council had complied with EIR by providing the ICO with the responses the Council had given to the requester. No further steps were required.

 

2.3     There are various reasons why the ICO may contact the Council. These are no longer solely about information requests we receive. ICO also contacts the Council regarding complaints it receives in relation to any data protection concern including potential data security incidents. The ICO initially takes an informal approach and raises any concerns on behalf of a customer about their personal data. ICO will ask us to investigate and take ownership in the first instance and to report back to the ICO how we remedied the situation directly with the customer. Sometimes communication takes place directly with a service or mostly in contact with our Data Protection Officer. Some of the reasons the ICO contact us do not fall under this annual report. However, where contact from the ICO is relevant to this report, it has been included.

 

 

3.0     The complexities of Subject Access Requests

3.1     People rely on the Council to record and store their information and make it available upon request. When requested, the Council provides an important and statutory service of fulfilling these Subject Access Requests (SARs). In this section we try to provide more narrative around the meaning and importance of SARs and how they are processed and handled within the Council, including a process chart at the end of the appendix to illustrate this visually.

3.2     Access to data can have a significant impact on people’s lives; helping them to understand why decisions were made, for example why someone might have been taken into care as a child. They can also provide evidence to support decision making in current proceedings. Therefore, by their very nature the SARs process can be complex, for example, retrieving information spanning decades and located across many different services across the Council. Some requests can involve personal information of several family members.

3.3     Information Governance staff across the departments help and assist in fulfilling the requests the public make for their information. Staff handle each case with sensitivity as each case is unique and involves individual life stories, relationships, and circumstances unique to the person or persons requesting the information.

4.0     How Subject Access Requests are processed and fulfilled

4.1     It is difficult to quantify the time taken to complete these cases as there are several stages to the process. Fulfilling SARs depends on a large pool of staff across the departments, particularly in Adult Social Care and Children’s Services departments. It entails gathering information from front line staff who need to balance important requests for information with other safeguarding priorities.

4.2     Processing is dependent on individual departments and overseen by information governance professionals. However, it can be necessary to make checks with multiple staff where the circumstances of a case are very sensitive, including Legal Services.

4.3     SARs may need to be handled differently depending on the age of information being gathered, and some may need retrieving information from long-term storage. Some SARs can be thousands of pages and carrying out redactions can therefore be a lengthy process. Although the legislation allows us to extend the deadline for a further two months if a case is complex, it can often take longer.

4.4     It is also difficult to manage any influx of SARs as increases can be unpredictable. The nature of requests and volumes of information requested mean that staff capacity does not always meet the demand.    

4.5     To ensure we gather all the data relevant to a request, searches must be carried out in several locations, e.g., group inboxes, personal inboxes, (included sent, deleted items and separate folders) CMS, network folders and anywhere else teams may store content. This also includes paper records stored in offices or the Record Centre. We actively try to reduce the level of duplication when collecting data by being clear in our communications with staff about what they should search for.

4.6     We keep customers informed about delays and discuss whether it’s possible to identify specific pieces of information which are most important to receive. If information is needed by a specific date, every effort is made to achieve this. This allows us to disclose smaller sections of information over time to ensure that customers receive the most useful information as soon as possible. Where possible we will identify and communicate a deadline to the customer, however this is difficult to guarantee due to fluctuating workload priorities.

4.7     We work flexibly with customers to ensure their information is provided to them in a way which is most accessible to them. For example, we have procedures in place to work with third party representatives and supply documentation in electronic or paper format.

4.8     If multiple members of a family make a request, we explain our processes to families to identify whether they consent to information being shared with, for example, their partner or siblings. This allows us to reduce the time taken to redact documentation and avoid duplication. Without this consent, redaction can be very time consuming as we must manually review every document to identify content which may be exempt.

4.9     The process chart below illustrates the processes for the Information Governance (IG) teams and staff and other teams involved across the Council for fulfilling Subject Access Requests.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Request for deceased persons records,Subject Access Request (SAR) validated. Details of information request sent to: o Relevant teams/staff o Legal Services ,Voluntary disclosure Freedom of Information request ,Historic cases • IG team gather and receive information • IG team prepare documentation for review • IG team review and redact Current cases Communication, Planning and Performance: • IG team gather and receive information • IG team prepare documentation for review • IG Team review and redact Early Help and Social Care (EH&SC) resource sits in the IG Team: • EH&SC IG team gather and receive information • EH&SC IGO prepare documentation for review • EH&SC IGO Review and redact • PM EH&SC sign off redacted information ISEND: • IG trained teams gather and receive information and review and redact information • Sign off by manager • Information checked by IG team ,Process chart 1: SAR processes across the Council

Adoptions Team investigate                                                                           

Request for adoption records
CSD SAR
ASC SAR
All other dept SARs
Employee SAR
• IG team gather and receive information • Prepare documentation for review • Review and redact
• IG team receive information • Prepare documentation for review • Review and redact • IG team receive information • Prepare documentation for review • Review and redact
Council staff search: • Group Outlook inboxes • Personal Outlook inboxes • Network folders • SharePoint folders • Case Management systems • Paper files