Freedom of information and environmental information regulations policy

Version number1.0
First published:May 2018
Date updated:June 2024
Next review date:August 2025

Policy prepared by:

Freedom of information (FOI) manager
FOI lead
Policy owner:Sam Haq, Director of Communications, Chief Strategy Officer Directorate
Policy approved by and date:Executive Corporate Group, March 2024
Brief summary of changes since previous version: Policy updated following NHS England merger with NHS Digital and Health Education England

1. Purpose

This policy is designed to ensure the effective processing of requests made under the Freedom of Information Act 2000 (the FOI Act) and/or the Environmental Information Regulations 2004 (EIRs).

All NHS England staff, including those who have transferred to NHS England following the legal mergers with NHS Digital and Health Education England, are within the scope of this policy. This includes:

  • central teams
  • regional teams
  • all commissioning support units
  • all NHS England staff, including contractors, temporary and agency staff, embedded staff, secondees into NHS England, volunteers, honorary contractors and all permanent employees.
  • all staff who work for bodies hosted by NHS England, including any third-party organisations which hold information on behalf of NHS England

2. Scope

The FOI Act was passed in 2000 and replaces the Open Government Code of Practice that had been in place since 1994. The FOI Act gives the public a general right of access to recorded information held by public authorities. The FOI Act came into full effect on 1 January 2005.

The FOI Act places a statutory obligation on all public authorities to publish details about recorded information that they hold in a publication scheme and to provide the public with access to recorded information they hold on request, except where an exemption or administrative right to refuse the request applies.

The Regulations were passed in 2004 and provide a right of access to environmental information which is held by public authorities.

The Regulations also place upon public authorities a statutory duty to proactively make environmental information available to the public using easily accessible electronic means whenever possible, and to respond to requests for environmental information which they receive, except where an exception applies.

NHS England is a public authority under the FOI Act and the Regulations and must therefore comply with their requirements. NHS England recognises the importance of both the FOI Act and the Regulations and the right of access and transparency which they provide. It will ensure that appropriate systems are put in place to publicise what recorded information is kept by the organisation and how this information can be accessed on request by the public.

2.1 The Freedom of Information Act 2000 (the FOI Act)

  • provides a general right of access in response to a request in writing to recorded information held by public authorities and a right to re-use certain datasets. It also provides a right to be told whether or not information requested is held by a public authority (the duty to confirm or deny)
  • sets out administrative grounds for refusing a request and exemptions from the duty to provide information or to confirm or deny that information is held
  • sets out requirements to be met for a request be valid and requirements public authorities need to meet when complying with a request and refusing a request, including requirements about the timescales for responding to a request
  • makes arrangements in respect of charging costs and fees for complying with some requests
  • places a duty on public authorities to adopt a publication scheme and to publish information in accordance with the scheme
  • places a duty on public authorities to provide advice and assistance to people who wish to make, or have made, requests for information
  • provides for the publication of Codes of Practice on the discharge by public authorities of their obligations under the FOI Act (under section 45), and in relation to records management (under section 46), which public authorities must have regard to
  • as a matter of good practice, in accordance with the Code of Practice issued under section 45 of the FOI Act, to consider complaints made about the public authority’s compliance with the FOI Act by carrying out an internal review and responding within certain timescale
  • sets out arrangements for complaints to be considered and enforcement of the FOI Act by the Information Commissioner and appeals to be made to the Tribunal

2.2 The Environmental Information Regulations 2004 (EIRs)

  • provide that everybody has a right of access to environmental information recorded and held by public authorities in response to a request in writing or made verbally. It also provides a right to be told whether or not environmental information requested is held by a public authority (the duty to confirm or deny)
  • set out exceptions from the right of access or the duty to confirm or deny that information is held, all of which are subject to a public interest balancing test
  • set out requirements to be met for a request to be valid and requirements public authorities need to meet when complying with a request and refusing a request, including requirements about the timescales for responding to a request
  • make arrangements in respect of charging costs and fees for complying with some requests.
  • place a duty on public authorities to proactively make environmental information available to the public using easily accessible electronic means whenever possible
  • place a duty on public authorities to provide advice and assistance to people who wish to make, or have made, requests for environmental information
  • place a duty on public authorities to consider complaints made about the public authority’s compliance with the EIRs by carrying out an internal review and responding within certain timescales.
  • provide for the publication of a Code of Practice on the discharge by public authorities of their obligations under the EIRs (under regulation 16) which public authorities must have regard to
  • set out arrangements for complaints to be considered and enforcement of the EIRs by the Information Commissioner and appeals to be made to the Tribunal

2.3 Application and enforcement

The FOI Act and Regulations are retrospective and apply to all recorded information held by public authorities regardless of its date. Neither obliges public authorities to retain information which is no longer useful to them.

Any person can submit an FOI or EIR request to a public authority in England, Wales or Northern Ireland, which is subject to the relevant legislation, regardless of where the requester is located.

Both the FOI Act and Regulations are overseen by the Information Commissioner’s Office (ICO) who can investigate complaints, make decisions on whether a public authority has complied with its obligations under the legislation in response to a complaint, monitor organisational compliance, issue undertakings, serve practice recommendations, information notices and enforcement notices and, if needed, initiate criminal proceedings in relation to alleged criminal offences and court proceedings to ensure compliance.

2.4 Definitions

In both the FOI Act and the EIRs, “information” is defined as any item of recorded material held by or on behalf of a public authority in paper or electronic form. This includes but is not limited to, all draft documents, agendas, minutes, emails, diaries, handwritten notes, text messages, messaging Apps (e.g., WhatsApp, MS Teams), personal email accounts and messages (where used in a work context) and all other recorded information, such as audio-visual.

Environmental Information is defined in Regulation 2(1) of the EIR, and can be summarised as any information about, concerning or relating to the environment. Information does not need to directly refer to the environment to constitute environmental information.

Throughout this document, the FOI Act and the EIRs will be collectively referred to as ‘the legislation’. Where it is necessary to refer to one or the other, they will be referred to as “the FOI Act” and “the EIRs” respectively.

Requests for information made under the legislation will be referred to as “requests”. Where it is necessary to refer to a particular type of request, this will be specified.

For the purpose of this policy, ‘teams’ are defined as directorates, sub-directorates, teams, departments or individuals who have been asked to identify relevant information or otherwise contribute to the handling of and/or response to a request.

The FOI Team are responsible for the management of both FOI and EIR requests.

3. Policy statement

NHS England will use all appropriate and necessary means to ensure that it complies with the legislation and associated Codes of Practice issued pursuant to sections 45 and 46 of the FOI Act and under Regulation 16 of the EIRs.

4. Roles and responsibilities

Organisational responsibilities

NHS England recognises its responsibility under the legislation to provide the general right of access to recorded information held. Overall responsibility for this policy sits with the NHS England Chief Executive.

The Chief Strategy Officer is responsible for overseeing the implementation of this Policy and will establish systems, procedures, and operational processes to support its implementation, as necessary.

The Senior Information Risk Officer (SIRO), who is the Chief Delivery Officer, is responsible for ensuring that information risks associated with compliance with the FOI Act and the Regulations are managed appropriately and that the Board are adequately briefed on information risk issues. The Deputy SIRO, who is the Director of Privacy, Transparency and Trust is authorised to discharge the SIRO’s day to day operational responsibilities in relation to the management of information risk associated with compliance with the FOI Act and Regulations.

Publish and maintain a Publication Scheme, including making environmental information available.

Under the UK General Data Protection Regulation (UK GDPR), the Data Protection Officer (DPO) has a legal duty to advise NHS England on issues of data protection compliance, including the disclosure of any personal data in response to a request under the FOI Act or the Regulations.

NHS England’s FOI team will:

  • ensure that there is always one person with overall operational responsibility for FOI and EIR available within standard business hours (9am to 5pm, Monday to Friday, excluding Bank Holidays)
  • provide relevant FOI and EIR training for all staff, including those with functional responsibilities associated with the legislation, as necessary
  • provide clear lines of reporting and supervision for compliance with the legislation
  • identify, report and escalate compliance and information risks in accordance with agreed risk management processes
  • develop and maintain clear procedures for recognising and responding to requests in a timely manner to meet the requirement to respond promptly to requests and within twenty working days, subject to any extensions permitted under the legislation
  • support the Records Management Team in implementing a comprehensive Records Management Strategy that compliments both FOI and EIR. Provide advice on complying with the requirements of the FOI Act and EIRs, including advice on exemptions to withhold information or to refuse to confirm or deny it is held

Team responsibilities

The NHS England Customer Contact Centre (CCC) is responsible for:

  • identifying FOI and EIR requests received by the NHS England CCC via the contactus@nhs.net email address
  • logging all requests on to the Microsoft Dynamics 365 Customer Relationship Management (CRM) system within two working days of receipt. Once logged on CRM, the CCC will assign each new case to the FOI Triage queue

Teams are responsible for:

  • identifying all information held by NHS England within the scope of a request when asked to do so by the FOI team
  • identifying whether the time it would take to identify and retrieve information covered by a request could exceed 18 hours of staff time, which would entitle NHSE England to refuse a request and in providing time estimate breakdowns to show how the time would be incurred
  • complying with deadlines set by the FOI team in relation to requests to which they are asked to identify information and to contribute
  • ensuring that the information they provide to the FOI Team is accurate and complete and checking the accuracy and content of responses, where requested by the FOI team
  • advising the FOI team of any concerns that there may be in respect of releasing information into the public domain, thereby assisting the FOI team in considering any relevant exemptions which may be applicable
  • identify all hidden data in spreadsheets they provide, or where the hidden data is not needed to support the response to a request, delete the hidden data from the spreadsheet. Hiding data in a spreadsheet does not remove it. It can only be removed through deletion
  • obtaining approval from the Deputy SIRO and Director of HR (or their deputy) to access NHS England IT systems and email accounts to locate information held where this is necessary to respond to a request
  • where appropriate, they nominate a senior person within the team to act as a single point of contact for the request to liaise with the FOI Team in the provision of information as required
  • ensuring that information is created, maintained, retained, and disposed of in accordance with all NHS England Records Management Policies, procedures, and processes to enable easy identification and retrieval when required
  • acting appropriately to recommendations or queries generated by the FOI team
  • assisting the FOI Team with investigations to support the response to Internal Reviews, ICO complaints, investigations and Tribunal cases

In the event that a team seek to rely on section 36 of the FOI Act to withhold information, the team is responsible for nominating a senior member of the team (recommended minimum ESM or an individual to whom the responsibility has been delegated by the ESM) who will sponsor the recommendation of the exemption to the Qualified Person, and who will work with the FOI Team and where necessary, the Privacy, Transparency and Trust team, on the required submission to the Qualified Person and who will be available to respond to queries from the Qualified Person and/or their office in relation to the request and/or exemption.

Final draft responses to all requests must be approved for issue by an appropriately qualified member of staff operating at Agenda for Change band 8C or above, or a member of staff with delegated authority, unless otherwise advised by the FOI team. This will be determined by the team and the name and job title of the responsible approver should be communicated to the FOI team as early in the process as is feasible.

The Data Protection Officer is responsible for:

  • providing advice to the FOI team or a team in relation to the application of data protection law, and the common law of confidentiality, when responding to a request under the FOI Act or the Regulations. When the FOI team or a team is responding to a request under the FOI Act or the Regulations, advice must be sought from the DPO team before disclosing personal data, which may include patient confidential information and/or information relating to an individual who has deceased
  • advice from the DPO team is not required where the DPO team has already agreed in writing that a defined category of personal data relating to a defined category of individuals can be disclosed
  • providing data protection advice in response to any complaints to the ICO, and on any Appeals to Tribunal, involving the use and / or disclosure of personal data, including any reliance on the exemption under section 40 of the FOI Act

The Privacy, Transparency and Trust team will be responsible for:

  • providing advice to the FOI team or a team on records management requirements.
  • providing strategic advice when requested by the FOI team or a team on the application of any exceptions or exemptions to the duty to confirm or deny, or the duty to disclose or publish any information
  • providing strategic advice when requested by the FOI team or a team on the application of the section 36 exemption and submissions on this to the chief executive
  • providing strategic advice on any complaints to the ICO, and on any Appeals to the Tribunal, together with the Legal team

Employee responsibilities

All members of staff will, through appropriate training and responsible management:

  • identify all information they hold within the scope of a request when asked to do so by the FOI Tteam
  • identify whether the time it would take to locate, retrieve and extract information they hold within scope of a request could exceed 18 hours of staff time , (which would entitle NHS England to refuse a request, due to the £450 limit as set out in The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulation 2004) and provide time estimate breakdowns to show how the time would be incurred
  • provide the FOI Team with full, accurate, complete and appropriate information to support responses to requests within the timescales outlined by the FOI team
  • undertake any formal training in relation to the FOI Act or Regulations which the organisation deems to be relevant to that person’s role
  • record information accurately and appropriately. Be mindful of the fact that as per the legislation, members of the public may request access to any recorded information held by the organisation, including internal correspondence and work-related information held on private devices
  • ensure that any requests which they or their team receive directly (i.e., outside of the normal FOI process) are forwarded to england.foi@nhs.net on the working day on which it is received. The FOI Team encourage colleagues to contact them directly if they are unsure whether a request falls within the scope of the legislation; this ensures valid requests are not inadvertently missed. FOI requests must be made in writing (except in circumstances where the applicant requires reasonable adjustments), while EIR requests can be made verbally or in writing
  • understand that breaches of this Policy may result in disciplinary action, up to and including
  • not alter, deface, block, erase, destroy or conceal any record held by or on behalf of NHS England with the intention of preventing the disclosure of all, or any part, of the information in response to a request. To do so could result in the member of staff committing a criminal offence under section 77 of the FOI Act or Regulation 19 of the EIRs

5. Managing Requests for Information

5.1 Corporate arrangements for the management of requests

It is the responsibility of the Deputy Head of External Affairs (Parliamentary Briefing and FOI Response)on behalf of the Chief Strategy Officer to ensure that the organisation has employed efficient processes to support the FOI and EIR agenda, and to assure that all requests are managed correctly.

NHS England has existing processes for providing information to members of the public and other persons which are not superseded by this policy. Requests for information generated as part of NHS England’s existing processes may be answered as ‘business as usual’ if it is deemed reasonable to do so.

5.2 Receiving of requests

NHS England will publicise the contact information for its Customer Contact Centre (CCC), which is the designated ‘front door’ for FOI and EIR requests made to the organisation. Most new requests are made to the CCC using the email address england.contactus@nhs.net. We recognise, however, that in light of the merger of NHS England, NHS Digital and Health Education England there are likely to be some instances where legacy contact information is used by prospective applicants. It is essential that all requests are forwarded to the CCC as soon as possible, as the statutory timeframe for compliance commences at the point the request is received by the organisation (i.e., by anyone within the organisation).

Should any department, team or individual other than the CCC receive a new request, they must forward it to the FOI Team at england.foi@nhs.net on the working day it was received. Where this is not possible, e.g., because it was received outside of normal business hours, it must be forwarded to the FOI Team immediately on the next working day. It is the responsibility of all colleagues, not the applicant, to forward any request on to the FOI Team.

New requests will be logged by the CCC onto the Microsoft Dynamics 365 Customer Relationship Management (CRM) system. The CCC will log all new cases within two working days of receipt. Once logged on CRM, the CCC will assign each new case to the FOI Triage queue. From here, the case will be allocated to a member of the FOI team for action.

Should any department, team or individual other than the CCC receive a new request, they must forward it to the FOI team at england.foi@nhs.net on the working day it was received. Where this is not possible, e.g. because it was received outside of normal business hours, it must be forwarded to the FOI Team on the next working day. It is the responsibility of all colleagues, not the applicant, to forward any request on to the FOI team.

If a new request is received directly by the FOI team, or is forwarded to them internally, the FOI Team will log the request on the CRM system.

5.3 Validity of requests 

The FOI Act sets out what constitutes a valid request made under the legislation.

Under FOI Act, a valid request is one which is:

  • in writing
  • iIncludes the requester’s real name (see Annex A for examples)
  • includes an address for correspondence
  • describes the information which is being requested

EIR requests can be made in writing or orally, and do not need to include the applicant’s real name. However, responses to EIR requests must be issued in writing, and as such it will be necessary obtain an address or email address for correspondence from the applicant.

Where the CCC can process a request as business-as-usual activity, they will do so. If the applicant specifically cites either the FOI or the EIR, the request will be logged on CRM and assigned to the FOI Triage queue.

5.4 Reasonable adjustments

NHS England will consider an applicant’s need for any reasonable adjustments when receiving and handling requests and will make any such adjustments, as far as is reasonably practicable. Adjustments include, but are not limited to;

  • use of large/different font in communications
  • accepting requests by phone
  • using postal communications rather than electronic communications or vice versa
  • provide advice as to further support available to the applicant

The Reasonable Adjustments process for taking requests via phone, rather than in writing is included at Annex B below.

5.5 Process for responding to requests

NHS England will follow the FOI and EIR process set out at Annex C when processing requests which it receives.

The legislation makes it an offence to alter, deface, block, erase, destroy or conceal any information which is held by the organisation to prevent disclosure.

5.6 Time limits for compliance with requests

NHS England has systems and procedures to ensure that it complies with the duty to confirm or deny whether it holds requested information and to provide a response to requests within the statutory timeframe of twenty working days from the point of a valid request being received by the organisation. The timescales may be extended in limited defined circumstances set out in the legislation or Codes of Practice.

If the information requested by the applicant incurs a charge or a fee and the applicant has paid this, the period from when the applicant received the fees notice to when they paid the fee is disregarded for the purposes of calculating the twentieth working day following receipt.

NHS England may choose to apply an exemption or exception to any information where the exemption or exception applies, or to refuse a request if it is vexatious, repeated, manifestly unreasonable, or exceeds the appropriate limit for costs of compliance. A formal refusal notice which informs the applicant of this decision must  be issued within twenty working days.

5.7 Means by which information will be conveyed

When an applicant, on making their request for information, expresses a preference for communication by any one or more of the following means:

  • the provision to the applicant of a copy of the information in permanent form or in another form deemed to be acceptable by the
  • the provision to the applicant of a reasonable opportunity to inspect the record containing the information
  • the provision to the applicant of a digest or summary of the information in permanent form or in another form acceptable to the applicant

NHS England, as far as is reasonably practicable, will give effect to that preference, considering any information which it is deemed needs to be withheld where exemptions apply.

In determining whether it is reasonably practicable to communicate information by a particular means, NHS England will consider all the circumstances, including the cost of doing so. If it is determined that it is not reasonably practicable to comply with any preference expressed by the applicant in making their request, the applicant will be notified of the reasons for its determination. Where any such determination is made a note will also be included on the CRM system to record the reason for the decision. Any relevant information which is to be released will then be provided by such means as NHS England deems reasonable in the circumstances.

5.8 Response format and responsibility for communication with applicants

All responses will be issued to applicants by the FOI Team directly. There may be some circumstances, e.g., where an applicant has a communications plan in place, in which it is necessary for the response to be issued by another team or individual on behalf of the FOI Team. These circumstances will be identified on a case-by-case basis.

The FOI Team will use an agreed-upon set of templates to produce responses to requests. This will ensure consistency and the templates will be reviewed, as necessary.

5.9 Refusal of requests

The organisation has a duty under the legislation to confirm or deny whether information which has been requested is or is not held.

The duty to confirm or deny does not arise where:

  • an exemption or exception which removes the duty to confirm or deny is applied
  • a fees notice has been issued and the fee has not been
  • an estimate demonstrates that the cost of compliance will exceed the appropriate limit (18 hours of staff time)
  • it can be demonstrated that the request is repeated, vexatious or manifestly unreasonable.
  • it is unclear what information is being requested

Other than in circumstances where the duty to confirm or deny does not arise, applicants will be advised whether NHS England holds some, all or none of the requested information.

Where NHS England does not hold some or any of the requested information, the applicant will be:

  • informed that NHS England does not hold the requested information
    • where only part of the information is not held, it will be made clear which parts are held, and which are not
  • provided with an explanation, where possible, of why the information is not held
  • provided with advice and guidance, wherever possible, regarding potential alternative sources of information

Where NHS England does hold the requested information, the applicant will be:

  • informed that NHS England holds the requested information.
  • either:
    • provided with the requested information, plus any necessary or helpful explanatory information, or
    • provided with an explanation of why the information is exempt from disclosure, with specific reference to the exemption(s) or exception(s) which applies

Where NHS England is refusing to comply with a request, the applicant will be:

  • provided with a refusal notice which confirms the reason for the refusal, for instance:
    • the request is invalid
    • the request will exceed time/cost limits
    • the request is vexatious or manifestly unreasonable

5.10 FOI Act exemptions

NHS England will operate on a ‘presumption of disclosure’ basis. This means that information which has been requested via the legislation will be disclosed, except where an exemption (or a reason for refusal as set out above) applies.

Under the FOI Act, there are 23 exemptions which permit the withholding of information. These are set out at Annex D. FOI exemptions are either class or prejudice-based; absolute or qualified.

Class-based exemptions permit the withholding of information based on the characteristics of the information itself; for instance, information which is intended for future publication. The substance of the information is not relevant to the application of the exemption; the mere fact that it is intended for publication is sufficient.

Prejudice-based exemptions permit the withholding of information based on the potential prejudicial impact of disclosure. This means that the characteristics of the information are not relevant to the application of the exemption; whether disclosure would (or would likely be) harmful determines whether the exemption applies.

Qualified exemptions require consideration of the Public Interest Test (see below). The information can only be withheld if the Public Interest Test determines that the public interest in maintaining the exemption outweighs the public interest in disclosure.

Absolute exemptions are not subject to a Public Interest Test. If the exemption is engaged, the information can be withheld.

5.11 The FOI Act public interest test (PIT)

The PIT is a balancing exercise which considers whether the public interest in releasing the information outweighs the potential harm or prejudice associated with disclosure.

The FOI team and the team will work together to complete the PIT. A record of the factors for and against disclosure in each case will be produced. There is no requirement for this record to take any particular form, but it must be clear how the public interest decision was made.

If it is determined that a qualified exemption is engaged in respect of the information requested NHS England may extend the 20-working day timeframe, under section 10 (3) of the FOI Act, to allow time for a PIT to be conducted. On such occasions NHS England will, by the 20th working day, advise the applicant what qualified exemption is engaged, that further time is required to consider the public interest in release and provide an updated timeframe for a final response (which would usually be within a further twenty working days).

5.12 FOI Act section 36

Section 36 of the FOI Act exempts information if its disclosure would or would be likely to inhibit the ability of a public authority to conduct its public affairs. Section 36 can only be engaged by an organisation’s Qualified Person. The organisation cannot choose the Qualified Person. NHS England’s Qualified Person is the Chief Executive. The responsibility of the Qualified Person cannot be delegated to any other person. The Qualified Person may seek further advice from the Team, FOI Team or the Legal Team to assist informing their opinion.

The Qualified Person’s opinion is only required to engage the exemption. It is not necessary for the Qualified Person to complete the Public Interest Test (or even to be informed of the outcome). However, NHS England recognises that in practice, it is likely that consideration of the public interest is likely to occur alongside consideration of the application of the exemption. As such, it is likely that the Qualified Person will consider both the application of the exemption, and the outcome of the Public Interest Test.

The FOI team will maintain a record of the submission made to the Qualified Person and their opinion.

The Qualified Person’s opinion is not required in relation to the application of the exemption in section 36(4) for statistical information.

5.13 EIR exceptions 

The EIRs also mandate that organisations operate on a ‘presumption of disclosure’ basis. This means that information which has been requested via the legislation will be disclosed, except where an exception applies.

Under the EIR, there are 12 exceptions which permit the withholding of information. These are set out at Annex E.

EIR exceptions are either class or adverse effect based. All EIR exceptions aside from Regulation 12(3) (personal data) are subject to the Public Interest Test.

5.14 The EIR public interest test 

The Public Interest Test is a balancing exercise which considers whether the public interest in releasing the information outweighs the public interest in maintaining the exception.

The FOI team and the team will work together to complete the Public Interest Test. A record of the factors for and against disclosure in each case will be produced. There is no requirement for this record to take any particular form, but it must be clear how the public interest decision was made.

Although the EIR sets out that a Public Interest Test must be completed in all cases, we recognise that it is not possible to conduct a meaningful Public Interest Test in cases where no information is held. As such, it will not be necessary to record details of the factors for and against release if no information is held.

5.15 Redaction of information

Redaction is a process which is carried out to make information unreadable or to remove exempt information from a document. This is achieved by blocking out individual words, sentences, paragraphs, whole pages, or sections of information prior to the release of the document. Where a document becomes unintelligible due to the amount of redaction, the entire document should be withheld.

Responses to requests must state which exemption(s) or exception(s) is being relied upon for each piece of redacted information.

Teams are responsible for identifying information which requires redaction. A ‘clean’ (unredacted) copy of the requested information must be provided to the FOI team with information which demonstrates which words, phrases, sections, paragraphs, or information should be redacted, and on which basis. This can be achieved by highlighting passages of text, adding comments to electronic documents, or providing a supporting document which sets out the redaction rationale. Redaction is not carried out by deleting or removing information from documents. It must remain clearly visible what information has been redacted.

The FOI Team will advise and assist the team in relation to the exemption(s) or exception(s) which may apply to the information which has been flagged, based on the rationale which has been provided to them. The FOI Team may consult the Privacy, Transparency and Trust Team, where necessary, for advice on the application of exemptions under FOI and EIR to personal data or patient confidential data, including data about a deceased individual and will redact any personal data or patient confidential data, or data about a deceased individual which if disclosed would result in a breach of UK GDPR or a breach of the common law duty of confidence.

The process of redacting documents will usually be carried out by a member of the FOI Team, using appropriate redaction software to ensure that redactions are permanent and irreversible.

Spreadsheets will be reviewed in line with the process as set out in Annex G.

Where the team and the FOI Team are unable to come to an agreement on redactions, the matter will be escalated first to the Senior FOI Manager and, if necessary, to the Deputy Head of Parliamentary Briefing and FOI Response. The team and the FOI Team may also seek advice from the Privacy, Transparency and Trust Team and the Legal Team where agreement cannot be reached, on the application of the legislation to a request.

Guidance for teams regarding the redaction process and the review of data provided within spreadsheets can be found at Annexes F and G.

5.16 Escalation process

NHS England will follow the Escalation Process set out at Annex H if internal deadlines are not met. This will facilitate the efficient processing of requests.

NHS England reserves the right to process requests outside of the Escalation Process where this is deemed necessary and appropriate by the Senior FOI Manager (or another member of the team to whom the Senior FOI Manager has delegated that decision making authority).

5.17 Vexatious and repeat requests

Should an applicant make a ‘vexatious’ (e.g. placing unjustified burden on the authority), ‘repeated’ (for identical or substantially similar information) or ‘manifestly unreasonable’ (for EIRs only) request, NHS England will, on the first occasion, issue a refusal notice to the applicant. The refusal notice will set out:

  • the specific exemption(s) or exception which is being relied upon to refuse the request
  • an explanation of why the request is being refused
  • the action the applicant may take if they are unhappy with NHS England’s response
  • confirmation that repeated requests of the same nature will be logged, but no response will be provided

Where considered appropriate, the FOI Team may opt to write to the applicant in advance of a refusal notice being issued, to provide the applicant with the opportunity to revise their request. There is no obligation for the FOI Team to do so, nor any obligation for the applicant to revise their request.

5.18 Datasets

A dataset is a collection of factual information in electronic form (e.g. statistics or figures) that has not been materially altered since it was recorded. To be a dataset, the ‘raw data’ must not have been the product of analysis or interpretation.

Section 102 of the Protection of Freedoms Act 2012 amends section 11 of the FOI Act to require that datasets which are released in response to individual requests or through an organisation’s Publication Scheme must be made available for re-use at the point of release under the Open Government Licence, and where reasonably practicable, in a reusable format. The FOI Team will seek legal advice from the NHS England Legal Team on the terms of re-use applicable to any datasets before authorising re-use.

5.19 Round robin requests

Round Robin requests are those which are generic in nature and are designed to be ‘catch all’ requests submitted to multiple similar organisations.

Any written request for information received by NHS England may constitute a valid request under either FOI or EIR legislation. This includes Round Robin requests. Upon receipt of a circular, questionnaire or any other ‘round robins’ request for information, NHS England will:

  • identify which questions are requests for information under the legislation
  • consider whether it is appropriate to liaise with other organisations which have received the request, to ensure a cogent response is provided to the applicant
  • where consultation is considered appropriate, NHS England will provide the other organisation(s) with our views on potential disclosure, and the reason(s) behind this position
  • provide the applicant with advice and assistance where reasonable and appropriate
  • provide a response in line with the requirements of the legislation 

NHS England will not:

  • liaise with other organisations which have received the request at the expense of the statutory deadline
  • share any identifying information about the applicant when liaising with other organisations
  • issue responses based solely on the views of other organisations; it is essential that any response issued by NHS England is reflective of our position and views
  • instruct or advise other organisations on how to respond to the request they have received

Where questions invite comment or request an opinion, which is not already held on record, NHS England will advise the applicant the information is not held.

5.20 Meta requests

A Meta request is a request for recorded information about the management and/or handling of a previous FOI request.

NHS England will process all Meta requests as individual FOI requests in line with this Policy and associated procedures.

5.21 Requests of potential media interest

Requests which may attract media interest of any kind will be handled as any other request. NHS England will not distort its process or tailor the response to an FOI request due to potential media interest.

Where appropriate, a copy of a final response (once issued) may be provided to the organisation’s media team, for information purposes only.

5.22 Duty to provide advice and assistance

NHS England has a duty to provide advice and assistance to persons making FOI requests under Section 16 of the FOI Act and the Section 45 Code of Practice, and to persons making EIR requests under Regulation 9.

NHS England will endeavour to undertake all steps it deems to be reasonable to ensure compliance with these obligations.

5.23 Identity and motives of the applicant

The ICO advises that requests should be handled on an “applicant and motive blind basis”. This means that in most cases, the identity of the applicant and the reason(s) for their request are irrelevant to the handling of the case and therefore will not be provided to teams in the general handling of requests.

NHS England recognises, however, that there are some occasions where the identity and/or motives of the applicant may inform the handling of or response to a request. These circumstances are set out below:

  • Wwhen considering the application of one or more of the following exemptions or exceptions:
    • Section 8 FOI Act
    • Section 12(1) FOI Act
    • Section 14(1) FOI Act
    • Section 14(2) FOI Act
    • Section 21 FOI Act
    • Section 40(1) FOI Act
    • Regulation 12(4)(b) EIR
    • Regulation 5(3) EIR
  • when considering whether the applicant requires information, outside of what would typically be provided, to be included in their response
  • when considering the tone and style of response (e.g., plain English, simplified language for children, etc)
  • other circumstances as deemed appropriate by the Senior FOI Manager and/or Deputy Head of Parliamentary Briefing and FOI response

5.24 Transferring requests for information

Where information is not held by NHS England, the organisation will normally:

  • advise the applicant that the information is not held by NHS England
  • provide an explanation, where possible/necessary, of why the information is not held by NHS England
  • where the organisation reasonably believes that another public authority may hold some or all the information requested, advise the applicant of this
  • provide, wherever possible, contact details for any such public authorities to enable the applicant to resubmit their request to the correct organisation

There are rare circumstances where it is more appropriate to transfer a request to another organisation, rather than advising the applicant to resubmit their request. In these circumstances, NHS England will:

  • liaise with the relevant public authority/authorities to confirm that the information is held by them
  • advise the applicant that the information is not held by NHS England
  • provide an explanation, where possible/necessary, of why the information is not held by NHS England
  • explain to the applicant that the information is held by another public authority (or public authorities) and provide their name
  • offer to transfer the applicant’s request to that authority
  • explain to the applicant that for transfer to occur, their consent is required to share their personal details, including contact information, with the receiving organisation
  • request that consent from the applicant
  • explain that the 20-working day timeframe for a response will not commence until the receiving organisation receive the transferred request (i.e. after consent has been provided by the applicant)

Where an applicant does not consent to transfer the case will be closed.

5.25 Consultation

5.25.1 Consultation with suppliers

NHS England recognises that, in some cases, contracts entered into by NHS England (including Crown Commercial Services (CCS) contracts) may contain obligations on NHS England to inform or consult with the supplier of the request and consider their feedback.

In general NHS England contracts will be published on Contracts Finder and Find a Tender in accordance with the Cabinet Office Procurement Policy Note (PPN), which sets out the legal and policy requirements to publish procurement and contract information. However, where a supplier’s provision of services is the subject matter of a request, the Team will engage with the Commercial Team to verify if there is an obligation in the contract to inform or consult the supplier. NHS England will then take reasonable steps to inform or consult the supplier in relation to the request.

The final decision as to what information will be released in response to a request, remains with NHS England.

5.25.2 Consultation with third parties

NHS England recognises that, in some cases, disclosure of information pursuant to a request may affect the legal rights or interests of a third party.

The FOI team will liaise with the team(s) to establish:

  • whether it is necessary/appropriate to liaise with the third party
  • whether contact will occur via the team or the FOI team
  • an agreed timeline for liaising with the third party

NHS England may choose to undertake consultation where:

  • the views of the third party may assist in determining whether some or all of the requested information should be withheld
  • we consider it likely that the third party would benefit from advanced notice of the intended response, e.g., to prepare for potential enquiries from members of the public
  • a significant portion of the information which has been requested was produced or provided by a third party

The above list is not intended to be exhaustive.

NHS England will provide third parties with a copy of the wording of the request (excluding any personal details), and an indication of NHS England’s intended response, including the information relevant to the third party which falls within the scope of the request, (redacted as appropriate).

NHS England may consider that consultation is not appropriate where:

  • the cost or amount of time and/or effort of consulting with the third party would be disproportionate
  • the view of the third party can have no effect on the decision as to whether to disclose the requested information
  • NHS England can predict, with reasonable certainty, the response of the third party (e.g. in circumstances where the third party’s view on the same subject has been recently provided)

The above list is not intended to be exhaustive.

NHS England is not obliged to consult with third parties. Where third parties do not engage with consultation requests or do not supply a response by the deadline agreed between the FOI and teams, NHS England will take their own decision on how best to respond to the request. No presumption will be made about the views of the third party. A third party’s refusal to consent to disclosure does not mean that information will be withheld.

On certain occasions, there will be a large number of third parties which may be impacted from an FOI disclosure. In these circumstances, if it has been determined that third parties need to be contacted, a representative sample will be contacted.

NHS England will take into account any views expressed by a third party when considering what information should be released, however, the final decision as to disclosure remains with NHS England.

2.26 Accepting information in confidence from third parties

NHS England will only accept information from third parties in confidence if it is necessary to obtain that information in connection with the exercise of any of its functions and it would not be otherwise provided.

NHS England will not agree to hold information ‘in confidence’ which is not in fact confidential in nature.

Information which is marked as ‘confidential’ or is recorded as being held ‘in confidence’ is not necessarily exempt from disclosure under section 41 of the FOI Act or Regulation 12(5)(d) (e) or (f) of the EIR. The FOI team will consider, based on the merits of the case, whether information is exempt from disclosure on the basis that it meets the required definition of ‘confidential’ (depending on the exemption or exception which is being relied upon). The FOI Team may consult the Privacy, Transparency and Trust Team, if necessary, in relation to whether any patient data, data about a deceased individual or personal data may be considered confidential before disclosing it. The FOI Team may also consult the NHS England Legal Team, if necessary, in relation to whether any contractual information may be considered confidential under the terms of any commercial agreements in place with third parties.

5.27 Personal data

Under the UK GDPR, Data Protection Act 2018 and the common law duty of confidence, NHS England has a duty to protect the personal data  for which it is responsible. Such data may relate to members of staff, patients, or other individuals. Our duties and responsibilities for protecting personal data are set out in our Data Protection Policy.

For the purpose of this policy, and our Data Protection Policy, our responsibilities extend to data relating to individuals who have died.

Before disclosing any personal data in response to a request under the FOI Act or the Regulations, we must ensure that we meet our data protection obligations. Accordingly, before any personal data which is not already in the public domain is disclosed in response to a request, advice must be sought from the DPO team.

Advice from the DPO team will not be required if the DPO team has agreed that specified categories of personal data relating to specified categories of individuals can be disclosed.

5.27.1 Personal information of staff  

NHS England will generally release the names and/or job titles of those falling into the following groups, without additional consultation:

  • all staff employed at executive senior management (ESM) level
  • all staff who are named on our external-facing website
  • board members

Where NHS England receives a request for the salary of someone who falls into one of the above groups, the Agenda for Change (AfC) banding for their role will be provided. Where an individual’s salary falls outside of AfC, their salary will be given in £5,000 bands. Requestors will be referred to the Annual Report if requesting information about Executive Director’s salaries.

5.28 Public sector contracts

NHS England will have due regard for the standards referred to in the Cabinet Office Procurement Policy Note on the Transparency of Suppliers and Government to the Public, as amended from time to time.

NHS England will, when entering into contracts, refuse to include contractual terms which try to restrict the disclosure of information it holds, relating to the contract, beyond the restrictions allowed by the legislation.

When entering into contracts with non-public authority suppliers, NHS England may be under pressure to accept confidentiality clauses so that information relating to the terms of the contract, its value and performance will be exempt from disclosure. NHS England must reject such clauses wherever possible. Where it is exceptionally necessary to include non-disclosure provisions in a contract, NHS England will investigate the possibility of agreeing with the supplier a schedule of the contract which clearly identifies information which should not be disclosed and the reasons for it being withheld.

NHS England will take care when drawing up any such schedule and be aware that any restrictions on disclosure provided for could potentially be overridden by obligations under the legislation.

Where NHS England receives a request for information which is held on its behalf by a supplier, the team will contact the supplier advising them of the information required within the timescales set out by the FOI team. The supplier is responsible for providing all relevant information to NHS England to allow NHS England to fulfil its duties under the relevant legislation.

All responses to requests must be sent by the FOI Team at NHS England. Contractors/third parties must not liaise directly with applicants. The FOI Team will not share applicant names or other identifying information, to facilitate this. The FOI Team will seek advice from the NHS England Legal Team in relation to any specific contracts as may be necessary.

5.29 Fees and re-use charges

NHS England reserves the right to issue fees notice in line with section 9 of the FOI Act and Regulation 8(4) of the EIR to cover the costs of disbursements (e.g. photocopying, postage etc.)

Under ‘The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004’, NHS England is permitted to charge a fee to comply with requests made under the FOI Act, where the cost of compliance is estimated to exceed the appropriate limit (as set by Regulation 3 of The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004) of £450. NHS England reserves the right to issue a fees notice subject to these where it is considered necessary. In most cases where the Appropriate Limit would be exceeded however, NHS England would be likely to refuse to comply with the request.

NHS England will ensure that fees notices are issued as soon as possible, and in any event within 20-working days of the original request being received by the organisation. The 20-working day timeframe will ‘pause’ at the point the fees notice is issued and will not recommence until the necessary payment has been received by the organisation (including the time taken for cheques to clear).

If the applicant does not make the required payment within three months of the date of the fees notice, NHS England will regard the request as being ‘withdrawn’. The request will be closed on NHS England’s case management system and no response will be sent to the applicant.

NHS England is not under any obligation to issue fees notices and will only do so where it is appropriate.

6. Complaints and appeals

6.1 The role of the information commissioner

The Information Commissioner’s Office (ICO) is an independent public authority which upholds Information Rights in the UK. Applicants who are not satisfied with the outcome of their FOI or EIR request and any subsequent Internal Review may ask the ICO to review how NHS England handled their request.

All responses issued by the FOI Team will include information which sets out how the applicant can contact the ICO.

6.2 Internal reviews

Applicants may ask NHS England to conduct an Internal Review (IR) of its handling of requests. IRs consider decisions made, rationale, public interest, timeliness, and all other relevant aspects of the request.

Responsibility for IRs sits with the Senior FOI manager. The Senior FOI manager may assign IR cases to other members of the team as deemed appropriate and necessary, where those members of the team were not originally involved in advising on or handling the request.

The FOI team will identify and communicate with all relevant staff who were actively involved in responding to the original response and invite them to review the handling of the request.

NHS England will conduct IRs within twenty working days, or forty working days where a review is shown to be particularly complex. Extensions to forty working days must be approved by the Senior FOI Manager and the applicant should be notified in writing of the extension no later than the 20th working day.

Applicants who remain unsatisfied with the outcome of an Internal Review will be advised that they may exercise their right to appeal to the ICO.

6.3 Interactions with the ICO

All communications and notifications received by NHS England from the ICO relating to FOI Act and/or the Regulations will be considered and responded to by the FOI Team in accordance with the timeframes indicated by the ICO.

Applicants may ask the ICO to conduct a review of the handling of and response to requests. The ICO will advise NHS England of complaints it has received.

Upon confirmation that the ICO has received a complaint, the FOI team will:

  • notify the senior FOI manager
  • consider whether it is necessary to provide the ICO with further information about the case.
    • this decision will be taken on a case-by-case basis by the Senior FOI Manager in conjunction with other members of the team as appropriate. This may include seeking strategic advice from the Privacy, Transparency and Trust Team, and legal advice from the NHS England Legal team where appropriate
    • where further information is to be provided, this will be carried out by an FOI Manager with support from the rest of the team as appropriate, including the Privacy, Transparency and Trust and/or Legal Teams where appropriate

The ICO may write to NHS England to request specific information about the handling of a case. However, this is not a requirement, and will not occur in cases where the ICO feel that they are already in possession of sufficient information. It is therefore essential that NHS England considers carefully whether it is necessary to provide more information upon receipt of confirmation that the ICO has accepted a complaint, as this may be the only opportunity available to NHS England.

For the purpose of this policy, “ICO cases” are defined as:

  • cases relating to FOI Act or the Regulations for which the ICO have confirmed receipt of a complaint, and where NHS England has opted to supply further information
  • cases relating to FOI Act or the Regulations for which the ICO have written to NHS England and have requested responses to specific queries
  • practice recommendations, decision notices, information notices or enforcement notices from the ICO which set out the actions required by NHS England

The FOI Management Team will work with teams to resolve ICO cases. Teams must prioritise these cases in order to prevent formal regulatory action from the ICO.

ICO cases will be managed by an FOI Manager with support from the FOI team as needed. ICO responses must be approved by the Senior FOI Manager before they are sent to the ICO. The Senior FOI Manager may delegate this responsibility to another member of the team where necessary and appropriate.

Where an ICO case concerns the disclosure or the failure to disclose personal data, the DPO team will be notified of the ICO case and will provide advice.

The FOI team will seek advice from the Privacy, Transparency and Trust team or the Legal team in relation to Practice Recommendations, Decision Notices (in respect of ICO Complaints), Information Notices and Enforcement Notices issued to NHS England.

Responses in relation to Practice Recommendations and Enforcement Notices should be reviewed by the Privacy, Transparency and Trust and Legal Teams and approved by the SIRO or Deputy SIRO and the Director of Legal before being issued.

If either the applicant or NHS England is dissatisfied with an ICO Decision Notice, either party has the right to appeal to the Information Rights Tribunal (General Regulatory Chamber). The ICO include details of how to launch an appeal in their Decision Notice.

6.4 Appeals made to the Information Rights Tribunal by applicants

Where an applicant makes a complaint to the Information Rights Tribunal, their Appeal is against the ICO’s Decision Notice. The Tribunal will therefore notify the ICO, rather than NHS England, of the Appeal. The ICO will, in turn, let NHS England know of the Appeal. This enables NHS England to consider whether we wish to join as a party to the Appeal.

NHS England will, in most cases, opt to join as a party to the Appeal. A final decision on joining will be made by the Deputy Head of Parliamentary Briefings and FOI Response with legal advice from the NHS England Legal Team where required.

The FOI team will notify the SIRO, Deputy SIRO and Director of Legal on receipt of all Notices of Appeal and will seek support from NHS England’s Legal team and the Deputy SIRO, where required, to assist with decision to join the Appeal and the Appeal process. The FOI team will always seek advice from the DPO team on any tribunal cases which specifically challenge the organisation’s decision to withhold personal data.

If NHS England decides to join the proceedings, it will be required submit all relevant documentation to the Tribunal, which includes all internal correspondence within NHS England relating to the handling of the request. This will contain personal data of staff members (such as names, job titles and contact information). This is because the Tribunal may need to determine the efforts made to identify persons to approach, who was involved in making the decision as to what information was available and whether it was disclosable. This may include information about the position they hold within NHS England and the degree of public facing accountability held. This information will form part of the ‘Open Bundle’ unless there is a clear reason why this information may need to be redacted. The ‘Open Bundle’ is seen by all of the parties who have joined the Appeal, including the FOI applicant (Appellant). The FOI team will seek advice from the Legal Team about the inclusion of personal data in the ‘Open Bundle’ and whether to notify NHS England staff members prior to submitting their personal data to the Tribunal.

The information that is subject to the Appeal, and any other contentious material, will form part of the ‘Closed Bundle’. The ‘Closed Bundle’ contains information which should not be seen by the Appellant.

All parties who join the proceedings are prohibited from using the documents obtained during a Tribunal Appeal for anything other than that specific Appeal. To use the documents outside of the Appeal process without permission from the Tribunal could be a contempt of court. (this includes material included in the Open and Closed bundles). Where evidence is later given in a public hearing (i.e. the Tribunal hearing) or documents referenced during a public hearing, the information can become public information as it may be published by the Tribunal or reported on by media or through social media by members of the public in attendance during the hearing. Staff will be provided with advice and support by the Legal team prior to attending a hearing.

The FOI team with advice from the Legal Team (and the team, if required), will together make all final decisions relating to the Appeal which includes review of any submissions before they are submitted to the Tribunal.

6.5 Appeals made to the Information Rights Tribunal by NHS England

The decision for NHS England to appeal against an ICO Decision Notice will be taken by the Deputy Head of External Affairs (Parliamentary Briefing and FOI Response) and the relevant team(s), with advice from NHS England’s Legal team and the Deputy SIRO.

Decisions to appeal ICO Decision Notices will only be taken where there appears to have been a clear error in the application of the law, including where:

  • in the view of the DPO team, there is a risk that personal or confidential data may be disclosed in circumstances which would lead to a breach of UK GDPR or a duty of confidentiality, or
  • In the view of the Legal Team, NHS England considers the ICO should have exercised its judgement differently or would have been likely to have done so had NHS England response to the complaint included additional information or representations which were not provided

6.6 Formal complaints

All formal complaints which are received via the organisation’s complaints process about the discharge of the duties of NHS England under the legislation, other than those which constitute requests for Internal Review, will be handled in the same manner and using the same procedures as any other formal complaint which NHS England receives.

7. Other matters

7.1 Publication scheme

The FOI Act makes it a duty for every Public Authority to adopt and maintain a scheme relating to the publication of information by that authority. Model Publications Schemes are approved and issued by the Information Commissioner.

NHS England’s publication scheme will be updated upon the completion of the re-organisation process following the merger of NHS England, NHS Digital and Health Education England.

7.2 Disclosure log

A Disclosure Log is a publicly accessible record of some or all the responses which an organisation has issued under the FOI Act and/or the EIRs. There is no obligation to produce or maintain a Disclosure Log.

NHS England does not currently publish a Disclosure Log. The Disclose Log previously published by NHS Digital will remain on the legacy NHS Digital website. The organisation will undertake a review of our approach to Disclosure Logs upon the completion of the re-organisation process following the merger of NHS England, NHS Digital and Health Education England and will make a decision on whether to use a Disclosure Log in conjunction with the SIRO.

7.3 Distribution and implementation

This document will be made available to all staff via the NHS England Intranet site.

7.4 Training plan

The FOI team will ensure that members of the FOI Team who are directly engaged in responding to FOI and EIR requests receive relevant training to enable them to appropriately handle those requests.

The FOI team will provide guidance and training to teams and individuals on a regular basis, to support them in responding to requests which they receive.

In addition, the FOI team will provide ad-hoc training to teams, on request, and from time to time to promote the work of the FOI team and increase awareness of FOI policy and processes across the organisation.

7.5 Monitoring

Compliance with this policy will be monitored by the deputy head of parliamentary briefing and FOI response and areas of organisational non-compliance will be reported to the SIRO.

The senior FOI manager is responsible for ensuring that this policy remains current and reflects best practice. The senior FOI manager may nominate members of the wider team to revise and update this document, as necessary. Any revisions will be approved in accordance with corporate governance processes.

8. Equality and health inequalities impact assessment

As part of the development of this policy, its impact on equality has been analysed and no detriment identified.

No detrimental issues were identified.

9. Associated documentation

The following documents will provide additional information:

  • Data Protection Policy
  • Subject Access Request Procedure
  • Confidentiality Policy
  • Document and Records Management Policy
  • Information Security Policy
  • Acceptable Use of ICT Policy
  • Information Sharing Policy
  • Corporate Records Retention and Disposal Schedule
  • FOI Redaction Process

10. Annex A – valid names (FOI Act)

Hypothetical examples of acceptable and unacceptable names provided by applicants.

Name providedWhether acceptable and reason
JoeNo – first names only are not valid
BloggsNo – surnames only are not valid
Joe BloggsYes – full name is valid
BloggoNo – this appears to be a nickname/pseudonym and is clearly not the applicant’s real name
@Bloggo_83No – this social media handle does not provide the user’s real and full name
Mx BloggsYes – title and surname are valid
JBNo – initials only are not valid
Mrs J BloggsYes – this provides the applicant’s title and surname
A concerned citizenNo – this is a pseudonym rather than the applicant’s real name
On behalf of NHS EnglandYes – organisations can submit FOI requests and are considered to be the applicant. As such, a request signed ‘by’ the organisation is valid.

11. Annex B – reasonable adjustments

Process for handling verbal request for information from those with reasonable adjustments

  • where members of the public require reasonable adjustments to submit an FOI request, NHS England has processes in place which allow requestors to submit a verbal request to our Customer Contact Centre (CCC). The CCC will note the need for reasonable adjustments, what adjustments are required and the terms of the FOI request. The request will then be passed to NHS England’s FOI team for processing
  • once in receipt, the FOI team will write to the requestor (via post, in duplicate) to confirm we have interpreted their request correctly. We will ask the requestor to sign one copy of the letter and return it to us so that it can be processed
  • any final response must take into account any identified reasonable adjustments such as large print, preferred font etc.

12. Annex C – interim FOI and EIR process

Proposed interim FOI and EIR process for the new NHS England

The above image shows a complex flow diagram which is difficult to describe – please contact the FOI team if you have any issues with this image or if you require it in another format: england.foi@nhs.net

13. Annex D – FOI Act exemptions

Exempt information under Part 2 of the FOI Act – the exemptions

There are two types of class exemption identified within the Freedom of Information Act 2000:

  • absolute – which do not require a test of prejudice or the balance of public interest to be in favour of non-disclosure.
  • qualified – by the public interest test, which require the public body to decide whether it is in the balance or public interest to not disclose

Apart from section 21 (information available by other means) exemptions apply not only to the communication of information, but also to the duty to confirm or deny, if that itself would disclose information which is reasonable to withhold.

The descriptions below are for reference only. For detailed descriptions please refer to the FOI Act itself.

Absolute exemptions:

Section 21 – Information accessible to the applicant by other means: Information which is already in the public domain, such as that which is published in the Publication Scheme or information which is available to the applicant through some other means.

Section 23 – Information supplied by, or relating to, bodies dealing with security matters: This applies only to information supplied by or relating to security bodies.

Section 32 – court records: Information that is only held as part of the documentation for a court, tribunal case or a statutory inquiry.

Section 34 – Parliamentary privilege: Where disclosure would infringe the privileges of either House of Parliament.

Section 37 – communications with the Royal Family: Communications with the monarch, the heir to the throne and the second in the line of succession.

Section 40(1) – Personal information: Information which is personal to the person making the request.

Section 40(2) – Personal information: Information which is personal to any person other than the person making the request, and which would contravene data protection principles if released.

Section 41 – Information provided in confidence: Disclosure would result in an ‘actionable’ breach of confidence where information has been provided by an external source.

Section 44 – Legal Prohibitions on Disclosure: Where disclosure of information is prohibited by any other law or regulation, or if it would be a contempt of court.

Qualified exemptions:

Section 22 – Information intended for future publication: Where publication was planned at the time the request was received. Applicants will be advised when the information will be published and how it can be obtained.

Section 22A – Research information intended for future publication: Where information which has been obtained or derived from research which is due to be published.

Section 24 – National Security: Information that is not covered by Section 23 under the Absolute Exemption category above, but exemption is needed to safeguard national security.

Section 26 – Defence: Information which would or would be likely to prejudice the defence of the British Isles or any of its colonies.

Section 27 – International relations: Information which would or would be likely to prejudice relations between the United Kingdom and any other state.

Section 28 – Relations within the United Kingdom: Information which would or would be likely to prejudice relations within the United Kingdom.

Section 29 – Economy: Information which would or would be likely to prejudice the economic or financial interests of the United Kingdom.

Section 30 – investigations: Information held for the purposes of investigations which the organisation is required to carry out. Sections 30 and 31 are mutually exclusive.

Section 31 – law enforcement: Information which would or would be likely to prejudice the prevention or detection of crime. Sections 30 and 31 are mutually exclusive.

Section 33 – audit functions: Information which would or would be likely to prejudice the audit functions of the organisation.

Section 35 – formulation of government policy: Information relating to the formulation of government policy. Can only be claimed by government departments and the Welsh Assembly Government. NHS England is not permitted to rely on section 35. Sections 35 and 36 are mutually exclusive.

Section 36 – effective conduct of public affairs: Information which would or would be likely to prejudice the effective conduct of public affairs. Sections 35 and 36 are mutually exclusive.

Section 37 – communications with the Royal Family and the conferring of honours: Communications with members of the Royal family other than the monarch, the heir to the throne and the second in the line of succession. Also, information on the conferring of honours.

Section 38 – health and safety: Information which would or would be likely to endanger the mental or physical health of any individual.

Section 39 – environmental information: Information which relates to the environment. Such information should instead be processed under the terms of the EIRs.

Section 40(2) – Personal Information: Personal information of someone other than the applicant, other than that which is covered by the absolute exemption at section 40(2).

Section 42 – Legally privileged: Information which is protected by legal privilege.

Section 43 – trade secrets and commercially sensitive information: Information which constitutes a trade secret or would otherwise prejudice the commercial interest of any organisation.

14. Annex E – EIR exceptions

Exceptions to the duty to disclose environmental information under Part 3 of the EIRs

Regulations 5, 12(3) and 13 – personal data

5(3) – information which is the personal data of the applicant.
12(3) – information which is the personal data of someone other than the applicant, except where disclosure would be in accordance with regulation 13.
13 – information which is prohibited from disclosure under the UK GDPR or the Data Protection Act 2018.

Regulation 12(4)

a) information which is not held at the time of the request
b) the request is manifestly unreasonable
c) the request is formulated in too general a manner
d) the requested material is in draft/unfinished format
e) the request is for internal communications

Regulation 12(5) – ‘adverse effect’ exceptions

These exceptions relate to information which would adversely affect:

a) international relations, defence, national security or public safety
b) the ability of a person to receive a fair trial, or for an organisation to conduct an investigation of a criminal or disciplinary nature
c) intellectual property rights
d) confidentiality of proceedings
e) confidentiality of commercial or industrial information
f) the interests of the confider (subject to limitations)
g) the protection of the environment to which it relates

15. Annex F – redaction process

This process sets out how redactions will normally be handled. The FOI team reserves the right to manage cases outside of this process where it is deemed appropriate and/or necessary.

  • team provide the FOI team with a clean copy of the requested information which falls within the scope of the request
  • team identify any concerns about information that needs to be withheld and highlight any proposed redactions with reasons
  • team and FOI team work together to confirm and agree proposed redactions along with relevant exemptions
  • team produces final highlighted version of information with key to confirm relevant exemptions for each redaction, if more than one exemption is engaged
  • FOI team mark information for redaction with text overlay to identify relevant exemptions (as necessary)
  • team approves marked redactions (along with draft response)
  • FOI team apply redactions and save clean, marked for redaction and final redacted versions of information in FOI files
  • FOI team issue approved response with approved final redacted version of information

16. Annex G – process for the handling of spreadsheets in response to FOI requests

1. The preferred approach of providing the data is to provide them as pdf copies rather than spreadsheets.

2. If they should definitely be sent out as spreadsheets, then the file format should be converted to CSV documents rather than Excel documents, wherever possible.

3. In instances where it is not practical to convert to CSV format or to embed it into the response, the team who created the spreadsheet will be asked to expressly approve that the Excel document does not contain any hidden fields or personal identifiable data.

4. All spreadsheets, will then be double-checked using the file inspection tool in Excel:

  • under file in the opened spreadsheet document
  • click on ‘Check for Issues’
  • click on ‘Inspect document’ (this should bring up items including embedded documents, pivot tables, etc, which are usually ticked to be inspected within the spreadsheet, if they are not already ticked, tick all that is relevant to be inspected)
  • remove each item it brings up that should be removed, especially any embedded documents and pivot tables; it even allows you to remove author names)
  • reinspect the document/spreadsheet
  • save this inspected document/spreadsheet (correctly named) for issue with the response.

Annex H – interim escalation process

This process sets out the current interim process for handling cases which require escalation. We will be reviewing this process in 2024. The FOI team reserves the right to manage cases outside of this process where it is deemed appropriate and/or necessary:

  • if no acknowledgement of the request from team by day 8 – case officer to escalate to FOI manager
  • if no response provided by team by day 12 (with no explanation for the delay) – case officer to escalate to FOI manager
  • if still no response by Day 15 – case officer to escalate to senior FOI manager
  • if still no response by Day 16 – case officer to escalate to deputy head of parliamentary business and FOI responses
  • if still no response deputy head of parliamentary business and FOI responses to escalate, including escalation to national director, as appropriate