Last week I posted about the NHS Information Governance Toolkit and its FOI requirements. David Higgerson highlighted in his blog on journalism the rules that NHS FOI Officers are expected to follow in relation to ’round robin’ requests. David was particularly concerned that this undermined the principle that requests should be processed in an ‘applicant blind’ manner. It started me thinking about what we circulate internally about requests and, more especially, requesters.
This whole issue of how requesters’ details should be handled is a fraught one for FOI Officers. Many of them are also responsible for Data Protection compliance in their organisations and are only too aware of the importance of protecting personal data. They are also keen to maintain the ‘applicant blind’ principle themselves.
In my experience, this can put them on a collision course with politicians and senior officials in their organisations. I’ve heard of FOI Officers and other staff being bawled at by very powerful people because they refused to provide this information. I’ve also heard of individuals who have decided to leave public bodies after being put under pressure in this way.
My own approach to this tricky issue is to routinely remove names and contact details from requests before circulating them. If someone wants to know who has made a request, I will initially tell them what kind of requester has made the request (eg private individual, journalist, business, etc.). If they insist on having a name, I will consider whether they have a legitimate need.
So what would I consider to be a legitimate need?
I would generally feel that the Press Office have a legitimate need to know the name of a journalist if they ask. The reason for this is that they may well be dealing with the same journalist themselves; it’s their job to oversee relations with the Press.
I routinely provide the Press Office with details of requests received from journalists (though not names unless they specifically ask), and where requested, I will also let them see a draft response. I can understand that might raise eyebrows. But I honestly don’t believe that automatically prevents the request being dealt with in an ‘applicant blind’ manner. The request will still be coordinated by the FOI Officer (or departmental staff in some organisations), the same information will still be sent out. It is just that the Press Office have a ‘heads up’ for any impending news story about the organisation. Even the Information Commissioner recognises that Press Officers will want to (and indeed should) work closely with FOI Officers.
Where I would draw the line would be if the Press Office insisted that the response should be different because of who the request is from. The reality is generally that the Press Office are more likely to change their line if it is out of synch with the FOI response (and by comparing notes, we may actually identify any errors in the response). Any sensible Press Officer is going to realise that they can’t interfere with a legal requirement. They might suggest different ways of saying things, but there is rarely any question (in my experience) of them changing the information that is going out.
It is arguable that it is ‘fair’ (to use the Data Protection Act terminology) to share the names of requesters making requests in a business capacity. Examples would be where it is clear that the request is being made by someone on behalf of the body corporate (eg they use a corporate email address; their signature includes their employer’s details; their letter has a corporate letterhead). I still wouldn’t routinely circulate a name, but I’d feel slightly better about it if asked.
There may be circumstances where individuals within the organisation need to know who has made a request to apply the Act itself effectively. For instance, if the case is being made to aggregate the costs of compliance with a series of requests, or to class a request as vexatious, the history of that individual’s contact with the organisation is likely to be a relevant consideration.
The crisis point for me would come if I felt that it wasn’t ‘fair’ to share the details and that there wasn’t a legitimate need. If the Chief Executive insists on knowing who made a request without providing adequate justification, how do I deal with that? Ultimately, under enough pressure, I know that I am likely to provide the information, as to be frank, I may well not have a choice. But first I would at least try to persuade them that they either don’t need a name, or at least to provide me with some sort of explanation as to why this is justified.
For this reason, I would always advise requesters to assume that their details will be known to anyone in the organisation they make their request to. Most of the time, for most people, that will probably not be a problem. However, I was recently asked for advice by someone who wanted to ask for information held by their employer, and I could only advise them that their best approach would be to use a pseudonym. I don’t generally condone that, but if anonymity is important, then that’s really your best option (and if your pseudonym is credible, the FOI Officer is not going to know – so you can avoid your request being refused under section 8).