Whilst I do try to keep a balance in my blog posts, recognising and indeed supporting the need for openness in the public sector, on occasion I have used this forum to have a bit of a moan about the less desirable impacts of FOI. And that’s fair enough, I think – this blog’s supposed to be about what FOI Officers really think. But I’ve got particular sympathy for one group of FOI Officers – those working for the NHS.

We’re all familiar with tales of NHS targets, and we may even support them where they can be shown to be effective. We’d all like to be seen by our GP whilst we’re either still ill or alive, and when referred to a consultant, it doesn’t seem unreasonable to expect an appointment sometime this year. What you might not be aware of is that these targets even impact on FOI Officers.

The NHS has something called the Information Governance Toolkit (or IG Toolkit). It sets out requirements for all parts of the NHS in respect of information governance including such things as patient confidentiality, data sharing, and compliance with relevant legislation such as the Data Protection Act and, naturally, FOI. Each NHS Trust has to make a submission indicating their rating against a scale of zero to three for each requirement. They also have to collect and upload evidence that they have attained the level they are claiming.

The last time I checked (last year), there were 62 requirements applying to most hospital Trusts, but the number and the standards required are changed every year. Ostensibly, Trusts have to make their Toolkit submission once a year, at the end of March, but in practice, they are required to submit updates on performance on pretty much a quarterly basis. Not surprisingly, the workload involved in collecting all this evidence and submitting it every quarter is pretty onerous. Once this effective ‘audit’ of information governance has been carried out, it is subject to a further audit by the contractors brought in to carry out internal audits, and may well be subject to further external audit.

NHS Trusts are, it is no surprise to anyone, struggling financially. What resources they do have are focussed, quite rightly, on patient care. So there isn’t much resource around to put to work on tackling information governance issues. A typical team (and often they will be spread throughout the Trust rather than placed in one team) in a busy hospital Trust will consist of a Health Records Manager/Librarian, running a registry of patient records with a small team of staff to support them in ensuring that medical staff have the right records to hand when they see patients, and to answer the three or four thousand subject access requests a year from patients (or more often their solicitors) considering taking legal action against the Trust. They may have an Information Governance Manager and/or Officer (if they’re lucky), and maybe a corporate records manager (if they’re very, very lucky). One of those people will be given responsibility for answering FOI requests as well.

So I, and I suspect many of the folk who actually work in information governance work in the NHS, find myself wondering, what is the point of adding to this burden by insisting on Trusts completing quarterly Toolkit returns? If you have limited resources, isn’t it more important to focus on actually improving things than constantly assessing and reassessing progress to the point that you don’t actually have time to make progress? The bods at the top would say that this is about protecting patients, but this activity notably hasn’t actually stopped doctors leaving patient notes on trains or saving records of hundreds of patients onto memory sticks which they then lose. If anything, I suspect it drives bad practice underground as NHS Trusts and their employees are reluctant to admit to failings in their systems. It’s also worth noting that many of the requirements covered by the Toolkit are duplicated (at least) by other target setters (such as the Care Quality Commission), so invariably, Trusts have to provide the evidence to several different bodies.

To give you a flavour of how ridiculous the Toolkit requirements are, here are some of this year’s for FOI, together with comments I’ve received from one of my readers who works for a Trust.

“Documented procedures for identifying ’round robin’ FOI requests and alerting FOI SHA Lead…FOI Lead’s job description should include responsibility for reporting the above…Staff that manage FOI requests should be alert to the possibility that a request may have been sent to a number of organisations – ’round robin requests’ – and there should be a documented procedure for alerting Strategic Health Authority (SHA) FOI leads so that they can provide coordination and support. SHA FOI Leads should in turn alert the Department of Health.”

As the FOI Officer comments, none of this is required to comply with the Act. It’s just additional workload. How do they know if it’s a round robin unless they proactively contact other FOI officers on every FOI they receive? ‘Round robins’ aren’t defined – does it count if only two Trusts receive it? Should ’round robin’ requesters be treated differently? It’s not even as though the SHA lead co-ordinates these responses – they just reiterate that Trusts should comply with the Act. Informal advice is always welcome, but to strictly require professional FOI Officers to report such requests centrally is just overkill.

“FOI applicant feedback / satisfaction surveys”

Yes, NHS Trusts are required to take steps to find out how happy you were with your FOI response. Never mind the fact that if you were dissatisfied, there’s an appeal process you can use. Nor the fact that frankly most people just want the information and don’t want to be bothering with feedback questionnaires or surveys (I can count the number of times someone has proactively sought to get in touch to say thank you for the information they’ve been given on one hand, so they’re not exactly clamouring for us to do this). NHS staff are having to set up surveys specifically to tick this box in the Toolkit.

“Complex complaints/appeals are referred to the IG Forum (or equivalent) for consideration and dealt with appropriately” ; this should be in “the terms of reference for the relevant group”. Also Trusts are required to produce “reports detailing complex complaints and the outcomes”

Most NHS Trusts, as you might expect after 6 years of experience, already have effective appeal processes in place. With 60+ IG Toolkit requirements to monitor most Trust IG Forums/Committees have more than enough to consider at their meetings, without having to review reports on ‘complex complaints’ that have been dealt with.

So if you work in the NHS and are involved with submitting your annual assessment for the IG Toolkit at present, you have my full sympathy. If you’re a journalist, you might want to consider bringing this outrageous waste of time and money to the attention of the Government. Nothing appears to have changed since Mr Lansley arrived in Whitehall, and this is one area that really is suffering from a surfeit of bureaucracy.


  1. I know from personal experience (ie it was me) that some NHS PCTs have made IG staff redundant or have not backfilled their posts, even prior to the Election, which has increased the burden on staff doing ‘day to day’ IG work let alone compiling toolkit returns.

    Wight Pie
  2. Pingback: FOI officers hunting round-robin requests? Three ways to reduce that happening « David Higgerson

  3. I work in the NHS and have just had to complete my IG Toolkit and submit lots of evidence – a ridiculous waste of time and money. With regards to identifying ’round robin’ requests and reporting them to the SHA, there is no legislation or requirement for us to do this, other than for the toolkit. The FoI Act is applicant and motive blind, so we shouldn’t be looking for ’round robin’ requests at all!

    Mr Gatsby
  4. NHS here too – and involved with IGT (more so than FOI now). As a primary care trust, we also have to support hundreds of primary care contractors (GPs, pharmacies and – this year for the first time – dentists and opticians) to make their own returns. The burden on all of us and them is horrendous. The duplication -within- the toolkit is huge, let alone the duplications that arise from CQC/QOF, contract monitoring, enhanced services initiatives. It’s bad enough for us, it’s worse for small providers.

    In terms of the FOI requirement – we don’t even have the capacity here to suitably redact requests (i.e. remove information from the request which might identify the requester) so that we can publish requests and responses online. Which *is* a reasonable requirement – but no-one here has the *time* to make this happen for over 300 requests a year, published/sorted/presented in such a way that it’s actually worthwhile to publish, in terms of other people being able to find the information they want.

    As far as obtaining satisfaction feedback is concerned – well, as foiman says, even acknowledgements of receipt/thank yous are very few and far between, even if we *specifically* ask people to acknowledge receipt on resending a response that (apparently) didn’t arrive on time although we sent it within the 20 days. Can requesters not take on a bit of responsibility and notify us if they are not satisfied?

    Don’t even get me started on the recent requirement to publish all contracts – again, absolutely reasonable in principle, but where is the staff resource coming from to make this happen?

    The redtop howls and government demands to cut costs of bureaucracy do not mesh with the ever-increasing burden of reporting. Too many career politicians who have never actually worked anywhere except in government and don’t have a clue what it’s really like out here.

    S Jones
  5. NHS here too. For me, in many parts the IG Toolkit (especially in its newer format) is a very useful auditable framework for assessing legal and regulatory compliance. Not just internally, but also for commissioned services.

    However, I wholeheartedly agree with FOI Man on the points raised around excessive requirements. As far as my toolkit compliance goes, ensuring that we have robust information security management in place takes precedence over these CfH foibles, and I would argue that case with auditors/DH ’til I’m blue in the face.