UNIVERSITY of GLASGOW

IT Services
Home > Services A-Z > IT Services > For IT support staff > Events > Past events > 2004/2005 > Freedom of information

Events

Freedom of information 9th, February 2005

A short presentation was given by Claire Johnson, Archive Services, with the following being the main points:

  • Two Acts are in operation, which are one specifically for Scotland and a second for the rest of the UK.
  • The Acts have been worded in such a way as to allow wide coverage of information that public bodies hold. The intention is to help openness and transparency of decision-making. It is important that the systems and processes in the University for managing information are operating effectively and that the distributed support community is able to help other staff respond to enquiries by managing their information, whether on web pages or servers well.
  • There are 17 exemptions to disclosure given in the Scottish Act and two important types of exemptions, are to preserve personal privacy (as this is covered by the requirements of the Data Protection Act 1998) and commercial confidentiality.
  • The general thrust of the Act is one of ?Presumption to Openness?, with organisations providing advice and assistance when they receive a request.
  • The areas in which requests may be expected include policy, procedures and statistics; and may be of an academic or administrative nature. Much of this information is already made available through the University's web site so it is important that it is kept current and updated regularly. All information should be managed so that redundant and time expired information is removed regularly and the navigation is logical.
  • One of the requirements of the Act is to produce a ?Publication Scheme? (http://www.gla.ac.uk:443/adminforms/foimps/) and there is link from the University's Home Web Page). It is a structured index to information routinely made available and is a useful tool for those making enquiries.
  • Archive Services are actively involved in supporting compliance with the Act, for example through Department visits in order to educate and define any training requirements for local FOI staff. More information is available at http://www.archives.gla.ac.uk/service/fst/default.html

As reference is made to the Data Protection Act within the following discussion, it may be helpful to summaries a few key points, that is the experience [with the UK Information Commissioner] is that when they initiate an investigation they want evidence of:

  • Written procedures to cover issues of authorisation,
  • Evidence that the procedures are known and have been followed, and
  • An audit trail of authorisation in the particular case under investigation. If you have these and they conclude you have made a mistake, then they will ask you to correct the mistake [if possible] and make suggestions as to how your procedures must change. If you have no written procedures for authorisation etc and have no audit trail, they may well 'take you to the cleaners' as it shows you are not organised.

Claire Johnson was then happy to take questions on the subject of the Freedom of Information Act and its impact on staff.

Question: How specific and detailed can a question be in relation to the 20-day reply rule?

Answer: If the information is collected, held it and does not fall within one of the exemptions it should be disclosed. If you have any doubts about disclosing information your departmental or Faculty FoI Co-ordinator should be contacted. A list of these people is available on the web site (http://www.gla.ac.uk/staff/foi/)

There is no requirement to create new information just to answer an enquiry. If we do not hold it we cannot disclose it.

Question: What if a person receiving a request has only partial knowledge ? do they need to respond?

Answer: It may be that a central office or another area of the University is a more appropriate responder. If it were unclear what the relevant area is, an initial step would be to consult the University's ?Publication Scheme? or your local FoI Co-ordinator.

Question: Can follow-up questions be made after the requestor has received a reply?

Answer: Yes, and it should be treated as a new request so you have a full 20 days to answer it.

Colin McLaren, Veterinary School: What if personal data is contained within the information being sought?

Answer: You must consult the Data Protection Officer (DPO) if you are unsure as to whether any information should be considered as ?personal data' in terms of the DPA and must follow the guidelines given by the DPO. Do not disclose any information until you have done so. If the personal data is about the requester they should be told to make a ?Subject Access Request? under the Data Protection Act. The process for doing this is available at the following location:

http://www.gla.ac.uk/dataprotection/subject_access.html

John Faithfull, Hunterian Museum: Where staff is dispersed, it is often difficult to coordinate record keeping. Are there any proposed policies or agencies in order to improve the management of information across the University?

Answer: At this time, Information Audits are being carried out in departments and central offices by Archive Services. This should assist with identifying good practice for record keeping. Archive Services are also available to Departments with regard to assisting in developing efficient management of information, identifying training needs and will be providing Heads of Departments with their findings. There are a series of self-help guides available on the Archive Services web pages http://www.archives.gla.ac.uk/service/recman/guides.html

John Faithfull, Hunterian Museum: Within his Department, the management of paper records is effective. However, the management of electronic records is seen as more difficult.

Answer: No distinction should be made on the grounds of media with regard to the policies and procedures for managing information. The principle is that there should be consistent practice, and digital folder structure should be to mirror what is done for paper records with any other information media employed.

The clearer identification of individual staff responsibilities and compliance to an efficient record management system should ensure that all information is held under compliance with the Freedom of Information Act.

Iain Logan, Computing Service: With regard to maintenance of electronic records stored on a networked drive, is it the responsibility of the desktop user or the server manager?

Answer: It is a shared responsibility. The desktop user has the primary responsibility for the files he/she saves to a networked drive] and should ensure that they organise their folders consistently and observe good practice with regard to version control, naming conventions and their appropriate deletion. The IT support staff are providing the IT infrastructure and are responsible for ensuring security etc.

Uploads to the web site need to be managed so that locations and changes to location do not create ?orphaned? or unlinked pages. It is especially relevant to anything that appears in the Publication Scheme. .

Mark Temple, AIMS IT Office: In relation to the last question, noted that you can search for a type of information without looking at particular content of networked drives.

Frank Mechan, MIS: In response to the last comment, would be reassuring to have a procedure to follow. Current practice he employs is to seek proper authorisation and to inform staff of any need to search data files.

David Fildes, DPO: Distributed IT Staff need to seek legitimate and proper authority to searching data files. It is essential the IT staff seek proper & legitimate authority before searching data files ? a requirement under DPA, CMA. RIPA/LBPR etc. especially if there is the possibility of personal data being present.

James Currall, IS: In response to this particular discussion, you can search for certain content. Once those that have generated the content in question have been identified, a discussion with them is possible without reference to any personal details contained in the data.

David Fildes, DPO: Whilst it is technically possible to do as JC states, IT staff MUST operate in an environment where their interests, responsibilities and safeguards are taken into account. If something goes wrong [legally], and the IT persons are found to operate without authorisation then they will probably be held responsible. There must be transparent, clear, observed and known procedures in place to seek the authority to do any such search. These procedures could be agreed at Faculty level when IT is organised on a Faculty basis. The issue of access to mail (post & e-mail) to detect a FoI request when staff are away is with HR as the issue is tied in with our contracts and our ?expectations' as to privacy - Article 8 of the Human Rights Act.

Claire Johnson, Archive Services: In summary, always seek authority for data searches, staff are not being asked to make individual, arbitrary decisions with regard to this issue.

Question: Is there any move towards a central repository of information?

Answer: The intention at this time is to continue with a devolved, efficient record management model. One exception would be the Committee Document System (CDocS), but this system performs a particular role that necessitates central control.

John Faithfull, Hunterian Museum: As a general comment, University needs to assume that all information held is potentially of public interest.

John Faithfull, Hunterian Museum: In order to see how the University comes to decisions, he feels that requests to see e-mail transcripts will become a popular form of enquiry.

Frank Mechan, MIS: How are Distributed IT Staff to manage requests?

Answer: Structures will be put in place for all staff to follow, for example there will be Freedom of Information Coordinators at Department / Faculty level to consult with. Distributed IT staff should seek the authority before doing a search.

Question: Retention schedules, how does that relate to e-mails?

Answer: Base e-mail record retention on its content, not on the type of media being employed. An assessment has to be made, as is the case for hard copy mail, as to the longevity of the information's usefulness (not only to the Department, but in relation to answering legitimate requests for information from the public).

Jim Barclay, Crichton College: Could it be possible that relevant e-mails are destroyed before a request is made?

Answer: Relates to previous answer. A risk assessment needs to be made with regard to the usefulness of information contained in e-mails (and any other media) and its expected lifetime.

Archive Services are willing and able to assist in the formulation of policy and procedures that relate to the specific needs of different parts of the University. Archive Services can inform with regard to good practice, but desktop users have an important contribution to make in determining the life cycle of information they are responsible for. Distributed IT staff are not those best placed to determine the life cycle ? that is a business issue not an IT issue. The IT role is to provide information as to the security, storage, and access costs of implementing the business-based decision.

Question: What if information is deleted as part of an established information management policy and a request is subsequently made of it?

Answer: As long as information is not destroyed after a request is made compliance with the Act is maintained.

David Anderson, Computing Service: Where do electronic backups fit with regard to the FOI Act?

Answer: Again, there should be a transparent backup policy that is complied with, specifically in relation to deletion of records.

Michael McCabe: What if a request is received that is out with the remit of that individual?

Answer (James Currall, Computing Service): A response must be made, as ?the clock is ticking? from the moment the initial enquiry is made.

Joan Kemp, Medical Faculty: Will a central record of requests be held?

Answer: No. However, the local FOI Coordinator needs to be informed of all requests. Centrally, local FOI Coordinator's monthly returns will be assessed but this is for the purpose of defining good practice and improving the content of the Publication Scheme.

Tim Rowland, Language Centre: Can a distinction be with regard to who is making the request, for example a journalist asking about PC numbers being okay as apposed to a Computer Vendor?

Answer: No. If information is requested that is relevant to our work, University has no right to ask the purpose of the request.

Linda McCormick, Computing Service: Can a distinction be made with regard to the scale of a request, for example a 20-page questionnaire from a professional body?

Answer: Again, risk assessment is the answer. It may be that not responding is deemed appropriate. However, it may be that not responding would affect relations with an organisation that it seen as important to the University.

Need to base decisions on what rewards are perceived with regard to investing time and effort in responding to requests.

Joan Kemp, Medical Faculty: What are the guidelines with regard to charging?

Answer: Where there are currently charges for publications it would be appropriate to charge. In the case of a need to respond in more detail, it should be noted that full economic costing couldn't be recovered from the requestor so charging is not a viable approach. Please contact your local co-ordinator if you think charges might apply.

Linda McCormick, Computing Service: In the case where there is a technical solution with regard to the retrieval of data, but the investment required is significant could the University make a case for not providing information?

Answer: If the cost / benefit analysis was seen to be valid, yes.

Ann Gow: What if I'm on holiday?

Answer: Need to put in place a system to make it clear that another team member or part of the service will deal with the request, or that the request will only be dealt with after a certain date if there is no cover available. Perhaps you forward the requestor to another member of staff, for example answer phone message.

Question: What if there is only one person with the knowledge base and they are unavailable within the 20 days?

Answer: Must still respond to the requestor, explain the circumstances and provide a timetable for answering the enquiry.

John McClure, Psychology: What sanctions can be imposed with regard to non-compliance?

Answer: The requestor must inform the University that they are unhappy with the lack of response to a question. University has an internal procedure in place for reviewing the action taken by staff and address any issues that arise. It may be decided that the action taken was appropriate and therefore inform the requestor of this.

If after getting the University response to a complaint the requestor is not satisfied an appeal could be made to the Scottish Information Commissionaire. A ?Practice Note? may be issued if the Commissionaire decides that the University's response was not adequate.

Tom Muir, Medical Faculty: Are there any punitive actions that can be taken against the University?

Answer: Ultimately the Court of Session can be involved, but it is dependant on the seriousness of the non-compliance; for example the destruction of information after a request was received would be seen as totally out with the spirit of the Act.

Question: Who is responsible within the University?

Answer: Ultimately, the University Court. However, there would be an internal review of the actions and responsibilities of the particular staff involved in any case that was found to be in breach of the Act.

Question: Should all enquiries initially be seen as a freedom of information request?

Answer: Yes.

Question: Would internal requests for information come under the FOI Act?

Answer: Yes.

Joan Kemp, Medical Faculty: What should have precedence, FOI or Data Protection Act?

Answer (both Claire Johnson, Archive Services, and James Currall IS): Data Protection Act.

And on that note, everyone adjourned for lunch with Claire Johnson happy to answer questions informally over a sandwich or two...