Schools and colleges are facing a range of new challenges in an effort to adapt to the “new normal” during the COVID-19 pandemic. One not-so-new challenge is the resurgence of requests for information made under the Freedom of Information Act 2000 (“FOIA”). In recent weeks, schools and colleges have received scattergun requests from journalists and members of the public, requesting information about COVID-19 testing and reported cases. In this briefing, we cover the approach to handling such requests as well as the key exemptions that may apply in this context.
- How to handle an FOIA request
The starting point under the FOIA is that the information requested must be disclosed unless there is a good reason not to do so, i.e. the information requested falls under an exemption set out in the FOIA. FOIA only gives a right to recorded information and so if the information is not recorded anywhere then it does not need to be provided.
On receipt of a request, schools and colleges generally have 20 school days (i.e. days that pupils are in attendance) or 60 working days (whichever period is shorter) to respond to the request from the date of receipt. A response must be sent to the requestor before the statutory timeframe elapses confirming whether the information is held and if any information is being withheld on the basis that an exemption under the FOIA applies (subject to certain exceptions).
Before responding to an FOIA request, it is essential to review the information for disclosure in order to establish whether it is disclosable and whether any exemptions under the FOIA may apply.
- Requests for personal information of staff and pupils
Some clients have reported receiving FOIA requests seeking information about individuals, such as confirmation of the number of pupils and staff testing positive for COVID-19. The FOIA provides that personal data of third parties (anyone other than the requester) is exempt from disclosure where complying with the request would breach any of the principles in the GDPR (known as the “personal information exemption”).
For the information requested to constitute personal data, it must relate to a living individual, and that individual must be identified or identifiable. If the information cannot be linked to an individual then in principle there is no issue with disclosure, however it is important to carefully consider the risk of identification. Where statistics are being requested, the smaller the numbers involved, the higher the risk of identification. If it is the case that from the statistics provided, a member of staff, or a pupil at the School could look at the information and identify the individuals in question, then the information will constitute personal data.
Information is not automatically exempt just because it is personal data. Instead, it is necessary to consider whether disclosing the information would be in breach of the data protection principles set out in the General Data Protection Regulation (“GDPR”). In particular, it is important to consider whether disclosure would be lawful, fair and transparent in relation to the individuals involved (Principle 1 of the GDPR).
In establishing whether the disclosure of personal data in this context is lawful, it is essential to identify an appropriate lawful basis for disclosure. In addition, as the information requested constitutes information about health (a type of special category data, which is afforded extra protection under the data protection regime), an additional condition must be identified to allow disclosure.
If a valid legal basis for disclosing the information has been identified, it is still important to go on to consider fairness and transparency. This will involve consideration of a range of factors, including the consequences of disclosure for the individual(s) concerned, whether the individual(s) would reasonably expect their information to be disclosed to the requestor, and indeed whether it is appropriate to make the information requested public (as the FOIA is about disclosure ‘to the world’ – not just to specific individuals).
- The question of confidentiality
Under the FOIA, confidential information is exempt from disclosure. For information to be confidential, it must meet certain conditions however there is no need for a written confidentiality agreement to be in place.
This exemption does not apply to information generated within an organisation however, and only applies where the information in question is received from someone outside the organisation and complying with the request would lead to a legal claim for breach of confidentiality.
Generally speaking, if a staff member discloses that they have tested positive for COVID-19 this information will be inherently confidential. However, in such a case the most appropriate exemption would likely be the personal information exemption, as opposed to the confidentiality exemption.
- Duty to provide advice and assistance to the requestor
The FOIA imposes a duty on public authorities to provide advice and assistance to individuals making requests for information under FOIA, so far as it would be reasonable to expect them to do so.
The Information Commissioner’s Office (“ICO”) considers it good practice to be prepared to provide advice and assistance to an applicant who has had their request turned down on the basis of an exemption. This is particularly relevant where refusing to disclose on the basis that the information is already available to the requestor by another route (e.g. on the website) or where the information is intended for future publication.
If your school or college has received an FOIA request or you have any questions around this topic, a member of our Information Law Team would be very happy to assist.
To receive our Information Law updates click here