Responding to the Covid-19 pandemic is stretching our public services. Most obviously the NHS is diverting all the resources it can to meeting critical health needs. But local authorities are also struggling to maintain vital services in the face of unprecedented demands and staff who, if not already ill and self-isolating, are obliged to comply with social distancing measures. Other public authorities are facing logistical challenges in maintaining services and some are even having to put some staff on HMRC-funded furlough.
In such challenging circumstances, where does dealing with information requests under Freedom of Information and DataProtection laws sit in the scheme of priorities? Many authorities who are fortunate enough to have staff dedicated to handling FOI requests or data subject access requests will have re-tasked them to undertake more business-critical roles. Where staff have information request handling as only part of their role, other more pressing duties are likely to trump FOI and DP timescales. And where staff are working from home and access to premises either discouraged or forbidden, manual records may remain inaccessible for weeks or months to come. Where requests are made by post, they may be delivered to offices which will not be staffed for some time.
The response of the Scottish Government has been robust. On 1 April 2020, the Scottish Parliament passed the Coronavirus (Scotland) Bill which, while retaining the statutory requirement to “respond promptly”, extends the timescale for responding to requests under the Freedom of Information (Scotland) Act 2002 from twenty to sixty working days. Moreover, Part 2 of Schedule 6 provides a mechanism for the Scottish Ministers to allow Scottish public authorities to extend the timescale, subject to providing written notice to the applicant, by a further forty working days, where the authority “determines that it is not reasonably practicable to respond to the request within the relevant period because of… (a) the volume and complexity of the information requested, or (b) the overall number of requests being dealt with by the authority at the time that the request is made.”
The emergency legislation also allows the Scottish Information Commissioner to find that a public authority has not failed in their duties under FOISA if he is satisfied that the failure to respond within timescales was due to the impact of coronavirus and reasonable in the circumstances. The Scottish Information Commissioner for his part is keen to remind public authorities that their duty to respond promptly remains, that the measures are temporary, and that they do not extend to the Environmental Information (Scotland) Regulations 2004 (EISR).
Of course, the Scottish Parliament cannot legislate with regard to data protection (where EU and UK legislation applies) nor can it amend the timescales for requests under the EISR as they implement the obligations of the Aarhus Convention. But as far as they can do so, the Scottish Government and Parliament have sought to relax the demands of information requests in the face of the pandemic.
For data subject access requests under GDPR (or s 45 of the Data Protection Act 2018 where they relate to law enforcement processing) and requests under the Freedom of Information Act 2000, there is no relaxation of the law. This was despite the call to do so from some quarters, including the Local Government Association who called on Parliament to include measures “temporarily relaxing the requirements on councils in regard to GDPR and FOI”. We rely instead on flexibility from the Information Commissioner as regulator.
While the UK Government did not take the opportunity of the Coronavirus Act to take extend time limits(and would be unable to do so in any case with regard to GDPR as we are still in the transition period), the ICO has made clear they will not penalise organisations who have made understandable decisions to prioritise other tasks. As they state on their website, “We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”
Organisations should therefore be reassured that they are unlikely to face official censure or significant public criticism if they make reasonable decisions to prioritise other tasks to protect and serve the public ahead of normal levels of service for FOI requests and subject access requests. If your organisation, almost inevitably, is finding it difficult to meet the timescales at this difficult time, we would suggest you take a common-sense and measured approach:
- Make a record of your decisions to re-allocate resources from handling information rights requests to other service-delivery priorities;
- Document the practical challenges (such as inaccessibility of manual records or post, and unavailability of key colleagues) which mean that it is “reasonable in all the circumstances” that the organisation is not able to meet normal levels of performance;
- Manage the expectations of applicants through your website and in your acknowledgements of requests and your automated email responses, and continue to communicate with applicants as far as you are able to do so;
- At the point at which your organisation, and the rest of humanity, is beginning to recover from the Covid-19 emergency, develop and document an action plan for addressing any backlog of requests which has built up.
At Act Now, we are passionate about the importance of information rights: They are at the heart of our democracy and our human rights. But the right to life must take priority over others, and we would be the first to recognise that organisations and individuals must make decisions which put people first, particularly at a time of global emergency.
Be kind and stay safe.
More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.