Most GP surgeries are familiar with the process to be followed when a patient requests access to their own personal information under the Data Protection Act 1998 – a subject access request.
However, Freedom of Information requests are less commonly received, but have a similarly rigid process dictating the time limits for a response and whether it is necessary to disclose the information at all. Failure to respond in an appropriate and timely fashion can lead to the surgery coming under the scrutiny of the Information Commissioner’s Office (ICO) for failing to comply with the legislation.
The Freedom of Information Act 2000 (FOIA) applies in England, Wales and Northern Ireland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.
The FOIA allows individuals to gain access to information held by public authorities, the underlying aim being to promote transparency and trust in the public sector. The FOIA does not however permit individuals to request patient identifiable information.
What must practices do?
The FOIA only applies to public authorities. However, GP practices are treated as public authorities in respect of ‘information relating to the provision of [primary medical services]’. As such, NHS GP practices would be expected to disclose information and data related to the provision of those primary medical services in response to a FOI request (Schedule 1 Part III clause 43A of FOIA)
The FOIA places two main obligations on a public authority; the first is to proactively publish certain information and the second is to respond to requests for specific information.
Proactively publishing information
The ICO has published a helpful template guide for NHS GP practices identifying the information that they should be proactively publishing with regard to their public function which can be found via the link below.
In addition to proactively publishing material, NHS GP surgeries will also need to respond to individual FOI requests for information.
Responding to requests
Anyone can request information under the FOIA, but the request must be made in writing either by letter or by email. The requester will need to include their real name and also include an address for correspondence, although once again this can be an email address.
The request might take the form of a question or a request for a specific document. If a request is ambiguous, you may need to ask for clarification to enable you to respond to the request.
The FOIA covers all recorded information held by a public authority such as emails, policies, letters and even CCTV recordings. It does not cover information that is in someone’s head, you only have to provide information that is already in recorded form.
Nor does the FOIA cover information that you hold solely on behalf of another person, body or organisation, this means that an employees’ purely private information cannot be requested and patient identifiable information should not be disclosed.
If you not sure about what should be disclosed then the ICO website provides a guide on responding to requests and you can seek advice from your defence organisation.
Timeframes for responses and fees
The FOIA provides 20 working days in which to provide the response, whether that be the provision of the information that has been requested, or a reasoned refusal to provide that information.
In certain cases you can charge for the information you supply. You are not allowed to charge a flat fee for providing the information but you can recover reasonable costs for photocopying and postage should you wish. You cannot normally charge for other costs, such as for staff time spent searching for information.
If you wish to charge a fee you should send the requester a fees notice, which should be issued within the standard time for compliance.
If you do not hold the information you can comply with the request by telling the requestor this in writing. If you know the information is held by another public body you could advise the requester to redirect their request. If the information is already publicly displayed on your website you can redirect the individual to the website.
A well-constructed and comprehensive website can be a means of complying with both the letter and the spirit of the Act, such that otherwise time consuming requests from individuals can be dealt with much more easily and without disproportionate cost.
When can you refuse a request?
According to regulation three of The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, a body can refuse a request if it would cost too much (more than £450 for a NHS GP surgery) or if it would take too much staff time to deal with the request.
The regulations say that in estimating whether a request is too costly, the public body can take acocunt of costs it expects to incur in determining whether it holds the information, locating the information, retrieving the information and extracting the information. The regulations say the cost to be used for assessing this should be £25 per person per hour.
A request can also be refused if it is vexatious or if it simply repeats a previous request from the same person. There are also exemptions that may apply to certain information.
Questions of what is (or is not) an excessive or vexatious request require the application of objective tests that can be quite technical in their application, consequently it would be wise to seek advice from your defence organisation when responding to a FOIA request.
- Dr Lennard is a medico-legal adviser at the MDU
- ICO template guide for GP practices
- What should we do when we receive a request for information - ICO website