Improvements after ICO enforcement action
ICO comment: what this case study means
This case study demonstrates how targeted action by the ICO can help organisations turn things around and improve the rate of on-time responses to FOI requests. It also highlights the benefits of improving organisational-wide training around handling FOI requests, designating FOI points of contact within business areas and having an escalation point of contact to increase accountability.
Situation
The ICO‘s Regulatory Action Policy sets out how we intend to make the best use of our powers. It outlines the circumstances in which we will take regulatory action. In line with our regulatory powers under the Freedom of Information Act 2000, we took action against an organisation in 2023.
Through our casework data, we identified that the organisation had a consistently late response rate to FOI requests.
The organisation also had a history of poor engagement with the ICO. It had ignored enquiries from case officers. ICO lawyers had to intervene before it complied with decision notices requiring it to respond to requests.
The action we took
We issued a practice recommendation to the organisation in 2023, recommending the following steps:
- Devise an action plan with appropriate processes put in place to ensure it achieves 90% timeliness.
- Use our FOI self-assessment toolkit to support and sustain its recovery plan.
- Publish compliance statistics in accordance with the section 45 Code of Practice and make these easily accessible on its website.
- Set up clear escalation procedures when staff do not meet internal deadlines in the request handling process.
- Information rights training should ensure that adequate coverage is in place if key staff members leave the organisation.
- Respond in a timely and constructive manner to enquiries from case officers.
Impact
Since we took action, the organisation has achieved a positive impact in these areas:
Improvement in the rate of on-time responses
Performance data provided by the organisation showed evidence of a sustained improvement in the rate of on-time responses. A total of 269 FOI requests, received over a four month period, were responded to within 20 working days.
Efficient management of FOI inbox
Five staff now have access to the FOI email inbox so requests are picked up more quickly. The inbox has also been organised into sub-folders for better management of responses.
Publication of performance statistics
The organisation now publishes the number of FOI requests it receives each month, and how many it responded to within 20 working days. This data, published in accordance with the section 45 Code of Practice, is updated quarterly.
Dedicated FOI contact and escalation point
Each department now has a dedicated point of contact to facilitate FOI responses. The organisation has updated its request handling procedures. They now include a provision for escalating requests likely to exceed the response deadline to the Head of Service or a Director. Recording the action taken as a result of the escalation, and how staff communicate this to the requester, are also part of the updated procedures.
Mandatory FOI training
All staff must take a mandatory FOI e-learning module. The organisation has also produced a training guide for customer service centre staff handling FOI administration. It is also going to recruit a deputy data protection officer with an FOI remit to provide technical expertise and resilience.
Improved engagement with the ICO
The ICO’s FOI casework team has reported a significant improvement in their engagement with the organisation. The organisation has created a separate folder to manage ICO correspondence, which is monitored and prioritised by the customer services manager.