Category: Freedom of Information

20 Years of FOI: An Interview with Maurice Frankel  

It is more than 20 years since the Freedom of Information Act came into force. Now more than ever transparency is an important aspect of public life and indeed a democratic necessity.  

In Episode 3of the Guardians of Data podcast we discussed these issues with our guest was Maurice Frankel OBE, director of the Campaign for Freedom of Information .  

The following is an abridged version of the podcast focusing on Jon’s advice to IG professionals.   

Question: What was life like before the Freedom of Information Act? How easy was it to obtain information from the public sector? 

Answer: It was extremely difficult in most cases; unless the information you were asking for, was helpful for the public authorities position, in which case the authority would be prepared to release it. But if you asked for information which might question its position, then it was very difficult to get the information and officials, council leaders and ministers would treat the information as if it was their own personal information, and they’d sometimes be affronted that you would even ask and expect that information to be disclosed. 

What were the other challenges in terms of getting the FOI Act onto the statute books? 

Well, the fact is, the government realized and Tony Blair realised, once the legislation was going through Parliament that, this was something that would cause them problems. And, it came to the point at which, the government privately threatened to pull the FOI Bill from Parliament if further improvements to the bill were made during its parliamentary progress.  

Jack straw, who was the Home Secretary and the Justice Minister, confirmed this in his memoirs; that the government actively considered dropping the FOI Bill, for fear that it had gone too far, that it was providing too much openness; that explains why they put it off for so long. 

You mentioned the cost limit. There was a story recently about an author who had a number of FOI requests about Andrew Mountbatten Windsor refused on costs grounds. Do you think there’s a case here for the cost limit rules to be changed so FOI requests cannot be refused on the grounds of costs if there’s a strong public interest in disclosing the information? 

Well, I think there’s a good case for that. We argued for that when the FOI Bill was going through Parliament because, it was obvious that you had an absolute limit on what could be disclosed based on the time needed to find it, essentially. And there was no way through that. And that limit applied in the same way to a request about the purchase of government stationery and to information the government held about a life threatening disease or potential pandemic. And, the case for treating those differently and recognising the public interest in serious cases, I think is very strong. Now the government will argue that everybody will make a public interest case for disclosure. But everybody does make a public interest case for disclosure of information about commercial interests, law enforcement matters and so on. And the exemption does not, collapse in every case simply because somebody makes that argument. Tt gives way when there is genuine evidence which justifies a disclosure of otherwise exempt information. I think the same could take place if there was a public interest test applying to the cost limit. 

You mentioned previously with regards to inquiries and their power to seek information from government. The Covid inquiries are ongoing. We’ve about the use of unofficial communications such as WhatsApp, Signal and Google Chat by ministers and advisers and in some cases, them using disappearing messages. What does that say to you about attitudes to transparency when it comes to the major decisions, particularly around Covid? 

Well, a chunk of the history will have been lost forever. It may be that there’s enough been recorded, to make up for that in the main areas. But I think the use of auto deletion, or messaging software, is a very unhealthy development. And if it’s possible to prevent officials using it, even where they need to use messaging software for efficiency purposes, they should not be able to use software, which automatically deletes messages once they’ve been read. I think that is inimical to proper record keeping practices, to accountability and to the operation of the Freedom of Information Act. 

Do you think that the fallout from the Epstein Scandal and the Covid Inquiry so far, is going to lead to improvements in government transparency, or is it going to lead to more unrecorded decisions? 

Well, I think the surprising thing is that very embarrassing material has come out of the Post Office Inquiry. For example, about the real reasons for continuing with various practices, despite the fact that it was well known that the Post Office was subject to the Freedom of Information Act and was receiving Freedom of Information requests. So I think what is perhaps more surprising is how much of that information has survived, despite the existence of FOI. I mean, when the Act was being discussed in the early days, the government would argue that people would use post-it notes to record sensitive information so that these could be pulled off the documents when an FOI request was received. And so they believed that the threat of disclosure would prevent anything significant, which could be embarrassing being recorded in a permanent form at all, and that’s not proved to be the case. And I think that is probably because, first of all, the chances, I think officials will recognise that they’re dealing with vast volumes of documents, and very few of those were ever requested under FOI. And that means the ordinary incentive to carry on, recording information in the ordinary way or sending recorded information to colleagues, in the ordinary way, carries on, despite what in practice, maybe a hypothetical possibility of an FOI request being received at some later stage. So the information is, is not that vulnerable, to pre-emptive destruction, to prevent disclosure. I think that is perhaps a reassuring, result of these inquiries. 

I agree with you, Maurice, that having had over twenty years of FOI, we are seeing the government disclosing more information, sometimes embarrassing as well and certainly the inquiry system is disclosing more information perhaps, than the Freedom of Information Act would have allowed. So together, I think I agree we have made progress. But do you think there is still room for improvement? Do you think certain public authorities need to improve more than others? 

Well, I think there’s room for improvement across the board. I think there’s a number of things. I think the first thing is, authorities are sometimes too keen to impute bad motive to a requester, just as requesters are sometimes too keen to impute bad motive to a public authority for withholding information.  

I think a second problem is that, public authorities are not making proper use of Boolean searches,. That is, they’re not searching for search term A combined with search term B, but excluding search term C. They are simply looking for hits under particular search terms and not intelligently, using the ability that their systems in many cases, must have to narrow the request by proper use of the of search language. So I think that needs to be looked at.  

And I also think that the Act itself needs to be amended, to address some of the shortcomings that it creates. And, chief of those is, the reasonable extension to consider the public interest test. So the twenty working days is extendable by an unspecified reasonable period to consider the public interest test. I think that extension should be got rid of, just as the Environmental Information Regulations have got rid of it (and Scotland’s Freedom of Information Act, has never adopted that approach). 

Where do you think FOI is going? If we get a change of government, do you think you’ll be back on the campaign trail trying to save FOI? 

Well, we are always aware of the fact that the Act could come under threat at any time. The number of times we have had to come in and try and defend the Act against attempts by, initially the Blair Administration, then the Coalition Government, Conservative Government, to stop attacks on FOI is remarkable.  

I mean, we had attempts to remove Parliament itself from the scope of the act in the early days. There was an attempt to expand the cost limit so that the cost limit of effectively 18 hours or 24 hours of time spent looking for information would apply not to a single request, or to all similar requests within a sixty working day period, but to all requests by a requester to the same public authority, whether they were related or not. And that would mean that, and not just from the same individual requester, but from the same organisation. So it would mean that major news organisations would be limited to one or two requests to the Home Office in a in a three month period, spread amongst all of their journalists. This was seriously put forward by the Blair Administration in the early days. And so, I don’t underestimate the threat to FOI.  

The most recent serious threat we had was, the government setting up the Independent Commission on Freedom of Information, in the mid-nineties, where the unspoken aim was to remove information about policy making from the scope of FOI altogether. We did a very detailed analysis of all Tribunal decisions over, I think, a sixteen month period, relying on section 35, and showed that in very many cases, the exemption worked as it the government had intended it to work. That is, it protected sensitive discussions, from disclosure even after the decision had been taken. But that in a number of cases where the public interest justified it, that information was disclosed and the Tribunal accepted that that was the exemption and the public interest test working as it was supposed to, and that there should be no change to that that position. And so I think that was a very important milestone in the Act, because that resulted in the government before the final report was published, announcing that it hoped the Independent Commission would not require any weakening of the Freedom of Information Act, whereas a weakening of the Act had been the whole purpose of setting up the Commission 

And just finally, some words of inspiration for our new professionals please Maurice. 

Try and understand what the rationale for bringing FOI in actually was, and that was that openness serves the public interest. It serves the interest of accountability. It deters bad practice and it exposes unacceptable conduct. Those are all things which authorities, should be endorsing. And the FOI officers in particular, should see that as the benefit of freedom of information. And in my own experience where I’ve been provided information in the right spirit, it does change your view of the authority you’re dealing with. It does make you more willing to accept what they tell you, and more willing to have confidence in their decisions. It increases public trust in the organisation which can only be a good thing.  

You can listen to the full Episode 3 podcast with Maurice here. 

ICO to Review Public Sector GDPR Compliance Enforcement Approach

In June 2022, the Information Commissioner’s Office (ICO) revised its approach to enforcement of the UK GDPR against public sector organisations.  The two-year trial was announced in an open letter from the Information Commissioner, John Edwards, to public authorities in which he indicated that greater use would be made of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases. Mr Edwards said:

“I am not convinced large fines on their own are as effective a deterrent within the public sector. They do not impact shareholders or individual directors in the same way as they do in the private sector but come directly from the budget for the provision of services. The impact of a public sector fine is also often visited upon the victims of the breach, in the form of reduced budgets for vital services, not the perpetrators. In effect, people affected by a breach get punished twice.”

This new approach has seen the Commissioner over the last two years issue more reprimands than fines. One example of this approach was the issuing of reprimand to the Department for Education (DfE) following its misuse of the personal data of up to 28 million children. The ICO said at the time that, had the new trial approach not been in place, the DfE would have been issued with a fine of over £10 million. Some would say that the DFE got off very lightly and, given their past record, perhaps more stringent sanctions should have been imposed. Two years ago, the ICO criticised the DfE for secretly sharing children’s personal data with the Home Office, triggering fears it could be used for immigration enforcement as part of the government’s hostile environment policy.

More recently the ICO was criticised for only issuing a  reprimand to the Electoral Commission following the discovery that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. Hackers also broke into its emails and control systems. The Commission estimated the register for each year contained the details of around 40 million people. The ICO reprimand revealed that the Commission did not take basic security steps to ensure the protection of personal data.

On 26th June 2024, the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the autumn. It will be interesting to see whether the ICO views the approach as a success and if it will be continued or even extended to the private sector.

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

Common FOI Requests By Sector

Despite the General Election, its business as usual for FOI practitioners. In fact many will report an increase in FOI requests. Understanding what requestors are interested in can help FOI practitioners to consider whether proactive publication of this information would benefit their organisation and help to reduce information requests. 

Working with WhatDoTheyKnow (WDTK), the ICO have analysed a sample of more than 150,000 requests made during 2022 and identified common themes in the information that has been requested. This has been broken down into 5 sectors:

Health

  • Meetings, committees, and minutes
  • Data and statistics
  • Complaints 
  • Recruitment and staffing information, including fuel allowance and travel costs
  • Policies
  • Mental health care

Local Government 

  • Highways, roads and parking  
  • Bus lanes and bus services
  • Children, schools and care
  • Housing and planning
  • Contracts
  • Internal correspondence
  • Asbestos

Education 

  • Admissions
  • Grades, scores and results 
  • Management and finances 
  • Economics, law, engineering, science and medicine courses.

Central Government 

  • Data and statistics
  • Correspondence and communications
  • Meetings
  • Covid-19
  • Costs

Emergency Services 

  • Statistical information
  • Hate crimes, crimes of a sexual nature, assault, and stalking
  • Vehicle and fleet 
  • Roads and speed limits

The ICO says that understanding the public’s information needs can better equip public authorities to meet one of the challenges set out in their recent open letter to senior leaders: ‘… look at what people are asking you about and actively publish it.’ Proactive publication also leads to greater transparency and could decrease the number of information requests public authorities receive.

Our FOI Exemptions workshop is ideal for FOI Officers who want to develop their knowledge of the exemptions and sharpen their Refusal Notice writing skills.

Lessons On Transparency: The ICO Experian Appeal

The Information Commissioner’s Office recently lost its appeal in the Upper Tribunal in relation to an Enforcement Notice issued to Experian.  

The concerned Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications 

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an ICO Enforcement Notice issued to Experian. The notice alleged several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). For more detail of the FTT judgement read our earlier blog here

On 23rd April 2024, the Upper Tribunal dismissed the ICO’s appeal against the FTT’s judgment. This can be read here along with a useful press summary. The Upper Tribunal backed the FTT’s conclusions while repeatedly criticising its unclear reasoning. 

The broader value of the judgment lies in its guidance, for the first time at this level, of what the transparency requirement under the UK GDPR involves (see paragraph 95). It also sets out its views on the current data protection landscape more generally. 5 Essex Court have a good summary of the judgement on their website.  

The ICO’s has issued a (“Let’s look on the bright side”) statement stating that: 

“The ICO will take stock of today’s judgment and carefully consider our next steps, including whether to appeal.” 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Transparency in Health and Social Care: New ICO Guidance 

Within the health and social care sector, new technologies that use large amounts of personal data are being used to support both direct care and secondary purposes, such as planning and research. An example is the the use of AI to provide automated diagnoses based on medical imaging data from patients. 

Transparency is a key principle of UK Data Protection legislation. Compliance with the first data protection principle and Article 13 and 14 of the UK GDPR ensures that data subjects are aware of how their personal data is used, allowing them to make informed choices about who they disclose their data to and how to exercise their data rights. 

On Monday the Information Commissioner’s Office (ICO) published new guidance to assist health and social care organisations to comply with their transparency obligations under the UK GDPR. It supplements existing ICO guidance on the principle of transparency and the right to be informed

The guidance is aimed at all organisations, including from the private and third sector, who deliver health and social care services or process health and social care information. This includes local authorities, suppliers to the health and social care sector, universities using health information for research purposes and others (e.g. fire service, police and education) that use health information for their own purposes. The guidance will help them to understand the definition of transparency and assess appropriate levels of transparency, as well as providing practical steps to developing effective transparency information. 

This and other data protection developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.   

Experian’s GDPR Appeal: Lawfulness, Fairness, and Transparency

On 20th February 2023, the First-Tier (Information Rights) Tribunal (FTT) overturned an Enforcement Notice issued against Experian by the Information Commissioner’s Office (ICO). 

This case relates to Experian’s marketing arm, Experian Marketing Services (EMS) which provides analytics services for direct mail marketing companies. It obtains personal data from three types of sources; publicly available sources, third parties and Experian’s credit reference agency (CRA) business. The company processes this personal data to build profiles about nearly every UK adult. An individual profile can contain over 400 data points. The company sells access to this data to marketing companies that wish to improve the targeting of their postal direct marketing communications. 

The ICO issued an Enforcement Notice against Experian in April 2020, alleging several GDPR violations namely; Art. 5(1)(a) (Principle 1, Lawfulness, fairness, and transparency), Art. 6(1) (Lawfulness of processing) and Art. 14 (Information to be provided where personal data have not been obtained from the data subject). 

Fair and Transparent Processing: Art 5(1)(a) 

The ICO criticised Experian’s privacy notice for being unclear and for not emphasising the “surprising” aspects of Experian’s processing. It ordered Experian to: 

  • Provide an up-front summary of Experian’s direct marketing processing. 
  • Put “surprising” information (e.g. regarding profiling via data from multiple sources) on the first or second layer of the notice. 
  • Use clearer and more concise language. 
  • Disclose each source and use of data and explain how data is shared, providing examples.  

The ICO also ordered Experian to stop using credit reference agency data (CRA data) for any purpose other than those requested by Data Subjects. 

Lawful Processing: Arts. 5(1)(a) and 6(1) 

All processing of personal data under the GDPR requires a legal basis. Experian processed all personal data held for marketing purposes on the basis of its legitimate interests, including personal data that was originally collected on the basis of consent. Before relying on legitimate interests, controllers must conduct a “legitimate interests assessment” to balance the risks of processing the risks. Experian had done this, but the ICO said the company had got the balance wrong. It ordered Experian to: 

  • Delete all personal data that had been collected via consent and was subsequently being processed on the basis of Experian’s legitimate interests. 
  • Stop processing personal data where an “objective” legitimate interests assessment revealed that the risks of the processing outweigh the benefits. 
  • Review the GDPR compliance of all third parties providing Experian with personal data. 
  • Stop processing any personal data that has not been collected in a GDPR-compliant way. 

Transparency: Art. 14 

Art. 14 GDPR requires controllers to provide notice to data subjects when obtaining personal data from a third-party or publicly available source. Experian did not do provide such notices relying on the exceptions in Art 14. 

Where Experian had received personal data from third parties, it said that it did not need to provide a notice because “the data subject already has the information”. It noted that before a third party sent Experian personal data, the third party would provide Data Subjects with its own privacy notice. That privacy notice would contain links to Experian’s privacy notice.
Where Experian had obtained personal data from a publicly available source, such as the electoral register, it claimed that to provide a notice would involve “disproportionate effort”. 

The ICO did not agree that these exceptions applied to Experian, and ordered it to: 

  • Send an Art. 14 notice to all Data Subjects whose personal data had been obtained from a third-party source or (with some exceptions) a publicly available source. 
  • Stop processing personal data about Data Subjects who had not received an Art. 14 notice. 

The FTT Decision  

The FTT found that Experian committed only two GDPR violations: 

  • Failing to provide an Art. 14 notice to people whose data had been obtained from publicly available sources. 
  • Processing personal data on the basis of “legitimate interests” where that personal data had been originally obtained on the basis of “consent” (by the time of the hearing, Experian had stopped doing this). 

The FTT said that the ICO’s Enforcement Notice should have given more weight to:  

  • The costs of complying with the corrective measures. 
  • The benefits of Experian’s processing. 
  • The fact that Data Subjects would (supposedly) not want to receive an Art. 14 notice. 

The FTT overturned most of the ICO’s corrective measures. The only new obligation on Experian is to send Art. 14 notices in future to some people whose data comes from publicly available sources. 

FTT on Transparency 

Experian had improved its privacy notice before the hearing, and the FTT was satisfied that it met the Art. 14 requirements. It agreed that Experian did not need to provide a notice to Data Subjects where it had received their personal data from a third party. The FTT said that “…the reasonable data subject will be familiar with hyperlinks and how to follow them”.
People who wanted to know about Experian’s processing had the opportunity to learn about it via third-party privacy notices. 

However, the FTT did not agree with Experian’s reliance on the “disproportionate effort” exception. In future, Experian will need to provide Art. 14 notices to some Data Subjects whose personal data comes from publicly available sources. 

FTT on Risks of Processing 

An ICO expert witness claimed that Experian’s use of CRA data presented a risk to Data Subjects. The witness later admitted he had misunderstood this risk. The FTT found that Experian’s use of CRA data actually decreased the risk of harm to Data Subjects. For example, Experian used CRA data to “screen out” data subjects with poor credit history from receiving marketing about low-interest credit cards. The FTT found that this helped increase the accuracy of marketing and was therefore beneficial. As such, the FTT found that the ICO had not properly accounted for the benefits of Experian’s processing of CRA data. 

The ICO’s Planned Appeal 

The FTT’s decision focuses heavily on whether Experian’s processing was likely to cause damage or distress to Data Subjects. Because the FTT found that the risk of damage was low, Experian could rely on exceptions that might not have applied to riskier processing.  

The ICO has confirmed that it will appeal the decision. There are no details yet on their arguments but they may claim that the FTT took an excessively narrow interpretation of privacy harms. 

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. There are only 3 places left on our next Advanced Certificate in GDPR Practice.  

New DP and IG Practitioner Apprenticeship

Act Now Training has teamed up with Damar Training on materials and expertise underpinning its new Data Protection and Information Governance Practitioner Level 4 Apprenticeship.

The apprenticeship, which received final approval in March, will help develop the skills of those working in the increasingly important fields of data protection and information governance. 

With the rapid advancement of technology, there is a huge amount of personal data being processed by organisations, which is the subject of important decisions affecting every aspect of people’s lives. This poses significant legal and ethical challenges, as well as the risk of incurring considerable fines from regulators for non compliance. 

This apprenticeship aims to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address these challenges.

Ibrahim Hasan, Director of Act Now, said:

“We are excited to be working Damar Training to help deliver this much needed apprenticeship. We are committed to developing the IG sector and encouraging a diverse range of entrants to the IG profession. We have looked at every aspect of the IG Apprenticeship standard to ensure the training materials equip budding IG officers with the knowledge and skills they need to implement the full range of IG legislation in a practical way.

Damar’s managing director, Jonathan Bourne, added:

“We want apprenticeships to create real, long-term value for apprentices and organisations. It is vital therefore that we work with partners who really understand not only the technical detail but also the needs of employers.

Act Now Training are acknowledged as leaders in the field, having recently won the Information and Records Management Society (IRMS) Supplier of the Year award for the second consecutive year. I am delighted therefore that we are able to bring together their 20 years of deep sector expertise with Damar’s 40+ year record of delivering apprenticeship in business and professional services.

This apprenticeship has already sparked significant interest, particularly among large public and private sector organisations and professional services firms. Damar has also assembled an employer reference group that is feeding into the design process in real time to ensure that the programme works for employers.

The employer reference group met for the first time on May 25. It included industry professionals across a variety of sectors including private and public health care, financial services, local and national government, education, IT and data consultancy, some of whom were part of the apprenticeship trailblazer group.

If your organisation is interested in the apprenticeship please get in touch with us to discuss further.

Reflections of an Act Now FOI Trainer

People in a meeting

Susan Wolf writes…

They say time flies when you are having fun. Well, I must have been having fun because I can’t quite believe I have been training with Act Now for over 12 months. Really where has the time gone? During my time at the University of Northumbria I developed the habit of keeping a journal in which I reflected on my teaching. Old habits die hard and I have continued this practice now that I am a regular Act Now training consultant. Looking back over my journal for the last 12 months a number of common themes became apparent. I thought it might be interesting to share these. However before I do, I just want to thank all the delegates I have met for challenging me, keeping me on my toes and reminding me how interesting life can be in Freedom of Information Land.

Training practitioners is not something new to me. For over 11 years I taught FOI practitioners on the Northumbria University LLM in Information Rights Law & Practice Degree. However, the Act Now courses, with their focus on practical training have exposed me to a wider range of people, from a wide range of public sector organisations, all trying to get to grips with broadly similar issues. From the most experienced practitioner who wants a ‘top up course’ to the absolute beginner who has just landed their first job in information rights, all practitioners appear to share some common concerns and worries.

There are also some widely shared misconceptions which still seem to cause the odd debate, despite the Freedom of Information Act 2000 being almost 15 years old. For instance, I have heard some delegates say that the ‘clock start’s ticking’ on a FOI request on the day it is received by a public authority. I have also heard delegates talk about fines that the ICO can impose for breaches of the Freedom of Information Act. Those are always good to correct, and it is nice to hear the sigh of relief when they are advised correctly on these points.

However, I also frequently get asked questions that there are, quite simply, no definitive answers to. In good ‘lawyer’ tradition I could say ‘well that depends’ but that isn’t always what people want to hear. For example, I have been asked questions about how far a public authority must go in advising and assisting an applicant, or how many times they need to go back to the applicant to clarify a tricky request. Another question that taxes people is how long it is reasonable to wait between requests before engaging S. 14 (2) for repeated requests. These are always good for some discussion, but often time is limited on a one-day course, particularly when delegates quite rightly expect we cover all the course content.

Other misconceptions or worries centre on issues relating to the redaction of staff names in email correspondence; how to distinguish between ‘business as usual’ questions and FOI requests; or the significance of ‘confidentiality’ markings on information provided by third party contractors. The ‘new’ Freedom of Information 2018 Code of Practice addresses some of these issues. However not all FOI practitioners are necessarily aware of the provisions of the new Code. Of course, it is difficult for practitioners, who are undoubtedly over-burdened, to keep up to date and on top of things, or indeed for us to cover these issues in detail in a one-day course. One way of keeping up to date is to read our Act Now blogs, which are all written by Act Now consultants and which deal with new developments and case law. However, this journey of reflection has made me realise that it would be useful to write some ‘Back to Basics’ blogs that address some of the issues and concerns that I know FOI practitioners share. Over the coming months we will be publishing a series of ‘FOI Basics Blogs’ on the issues raised during our one-day FOI courses starting with a blog on ‘Business as Usual or FOI Request’?

For those FOI practitioners who want to take their training and understanding to the next level, Act Now Training now offer a 4-day FOI Practitioner Certificate this course is modelled on the highly successful GDPR Practitioner Certificate and was launched in May 2019. We have now delivered it seven times and it is absolutely clear this model enables FOI practitioners to develop a more detailed knowledge and understanding of the FOI in practice. It gives delegates the chance to explore the exemptions in far more detail over two days, with Day 3 focussing on the most frequently used exemptions, including Sections 40 and 43. The course also prepares delegates for writing a Refusal Notice which forms part of the final assessment.

Delegates have given very positive feedback:

“The course was very well structured and well timed. The length of the course was ideal as this gave sufficient time to discuss all areas relating to FOI and also gave candidates ample time for discussion and study. The trainer was very supportive and the knowledge that has been imparted has enabled me to develop the FOI function with our organisation. Highly Recommended.”
JW, Heywood Middleton and Rochdale NHS

“The course was excellent and really sets you up for the exam, I would recommend it to others working in the field. I have put what I learned on the course to good use as I am a FOI and DPA Manager in a very busy post with lots of business each and every day; many of the requests are unusual. The course and now passing the exam have given me the confidence to do my job.”
JH, NI Courts and Tribunals Service

“Thank you for a great course – as always all the trainers at Act Now are extremely knowledgeable, approachable and make the learning experience really enjoyable.”
KF, St Helens Council

As you can see Delegates are enjoying the course content and delivery style. Most importantly they are able to take away their gained knowledge and apply it to their everyday role with confidence. After all, that is the purpose and objective of a course such as this. It makes me immensely proud and pleased to be able to be a part of the team that helps delegates in this way everyday and I look forward to the next 12 months.

Susan Wolf is a trainer for Act Now Training. She has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. All our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Information Governance Experts Join the Act Now Team

Steven CockcroftCraig Geddesbarry moult

(From Left to Right: Steven Cockcroft, Craig Geddes, Barry Moult.)

Act Now Training is pleased to announce that three new highly regarded information governance experts have joined its team of consultants.

Cyber security is one of the Information Commissioner’s regulatory priorities for the coming year. This is not surprising when you consider the recent Notices of Intent (to fine) issued by the ICO. We are developing a range of cyber security courses for the coming year. First off we have launched an Introduction to Cyber Security workshop led by our new consultant Steven Cockcroft.

Steven holds accredited trainer status from the British Computer Society, PECB and APMG. He is also accredited under the GCHQ Certified Trainer scheme, delivering training in the areas of Cyber Security, Information Security, Data Protection, Business Continuity Management, Audit, Risk Management and Business Continuity Management. Steven has assisted over 30 organisations to become certified to international best practice information security frameworks including the UK Government Cyber Essentials Scheme, ISO 27001 and ISO 22301.

Act Now has been running a full programme of information governance workshops in Scotland for many years. We have boosted our team of Scottish consultants by engaging Craig Geddes who is a qualified archivist and records manager, with 28 years of experience working across the range of information governance activities. He has worked for several Scottish local authorities as Archivist, Records Manager, and Senior Information and Improvement Officer. Craig has developed and delivered training on records management, freedom of information and data protection for a number of years, and is an engaging and entertaining speaker. Craig will help deliver our current Scottish courses, both in house and external, and develop new ones such as the recently launched Public Records (Scotland) Act Now workshop.

Act Now’s portfolio of clients includes many health organisations. With a view to delivering more health focused information governance courses, Barry Moult has joined our team. Barry is a well know IG expert with many years of experience working with and advising NHS organisations. He founded and has chaired the Eastern Region IG Forum since 2003. Until August 2018, Barry was the Chair of the NHS National Strategical Information Governance Network (SIGN) group and continues to sit on the NHS GDPR working group. Prior to that, he was Head of IG and Health Records at two large NHS Acute Trusts and was recently on a secondment to a local STP looking at information sharing and GDPR for Health and Social Care.

Barry will be delivering our health focused workshops on GDPR and the role of SIROs. Barry has also developed a new workshop for Caldicott Guardians to help them understand and apply the Caldicott Principles and the common law duty of confidentiality in a Health and Social Care setting. He will also look at the legislative requirements (e.g. GDPR) how they apply to patients’ records and what to consider when making moral and ethical decisions. There will also be discussion around how the Caldicott Guardian interacts with the Information Governance Lead, the Data Protection Officer and the Senior Information Risk Owner (SIRO).

The latest recruits boost the number of Act Now consultants to thirteen. Ibrahim Hasan, solicitor and director of Act Now Training,  said:

“I am pleased that Steven, Craig and Barry have joined our wonderful team of consultants who all have a reputation for explaining difficult subjects in a simple jargon-free way. Their knowledge of information rights coupled with real world experience will help us expand our services and deliver even more courses to our rapidly expanding client base.”

Act Now Training is now one of the largest information governance training and consultancy companies in the UK with over 17 years of experience in the sector.  Our trainers are available to deliver customised in house training, health checks and audits. Please read the testimonials from satisfied clients and get in touch for a quote.

Blog Footer Blue and White 2

Act Now’s FOI Practitioner Certificate: The Story So Far

FOI Certificate Banner

At the end of 2018 Act Now announced the launch of its new FOI Practitioner Certificate. In keeping with the company’s ethos of delivering on the ground practical training, the new course is designed to meet the needs of practitioners and to enable them to fulfil their roles as FOI Officers.

Act Now is pleased to inform readers that in May and June the first two cohorts of delegates attended our fully booked courses in London and Manchester respectively.
The courses were designed and delivered by Susan Wolf, formerly a senior lecturer on the University of Northumbria’s LLM in Information Rights Law.

The course has so far attracted delegates from a range of public authorities, including the Crown Prosecution Service, Department for Environment, Food and Rural Affairs (Defra), Maritime and Coastguard Agency (MCGA), Nursing and Midwifery Council, University of West London, Dudley CCG, Land Registry, Lancashire Council, Cheshire Police and St Leger Homes,

Susan says:

 “I have looked at every aspect of this revised course to ensure it equips FOI officers with the knowledge they need to tackle FOI in a practical way.”

The course uses the same format as our very successful GDPR Practitioner Certificate.
It takes place over four days (one day per week) and involves lectures, discussion and practical drafting exercises. All delegates are encouraged to actively participate and share their experiences, in order to create an inclusive environment.  Over the coming months, further courses will be delivered by Susan, Ibrahim Hasan and Philip Jones.

What’s new?

The new course offers several innovations, which Act Now believes makes the it distinctive and highly relevant to FOI Officers and other practitioners with responsibility for providing access to public information. One innovation is that time is made available each day for delegates to reflect on what they have learned and how it will inform their practice. From her experience of delivering of training the first two cohorts, Susan noted:

Delegates were able to share their experiences and problems, and more importantly offer suggestions for tackling problems.  This was particularly useful for delegates with limited FOI experience, or from smaller organisations, who were able to take away practical suggestions about how to handle requests and deal with the exemptions.

The course also encourages delegates to become independent learners and provides guidance on ‘keeping up to date’ and understanding how cases are handled by the First Tier Information Rights Tribunal.  Susan says:

The law isn’t static; we keep getting new ICO guidance, based on Tribunal and Court decisions. It is important that FOI practitioners understand the importance of keeping up to date, and how to do this.”

The assessment of the course is innovative and modern. The assessment model will be very familiar to people who have undertaken our GDPR Practitioner Certificate. First delegates must complete a one-hour MCQ test. This is  worth 30% of the overall assessment. The remaining 70% involves a written project.  Delegates are given a practical scenario which requires them to draft a Refusal Notice and explain how they would handle the request and their selection of exemptions. All delegates receive detailed feedback on their written projects. Our Scottish FOISA course also now follows the same format.

Susan says:

The assessment has been designed to be relevant and useful; I can see little point in giving delegates a task that has no meaning to their practice.  Instead we want our delegates to feel like the assessment will inform their practice and enable them to enhance and develop their skills. Writing a robust refusal notice is an essential skill for FOI practitioners and lies at the heart of our assessment on this course.”

The delegate feedback so far has been excellent and it seems that this course has plugged a gap in the market:

An excellent course taught by someone with all the relevant knowledge and experience to impart to the delegates. Also very useful course materials which have proved to be helpful to me on a day to day basis in my job. I would really recommend this course to anyone who is dealing with FOI’s in their job.
JC, Department for Environment, Food and Rural Affairs (Defra)

Ibrahim Hasan (Director of Act Now Training) says:

“We are pleased that this new FOI certificate course is meeting the training needs of FOI officers. Because of its emphasis on practical skills, we are confident that it will become the qualification of choice for current and future FOI Officers and advisers.”

More venues have been added for this course including Belfast. All our courses can be delivered at your premises at a substantially reduced cost.

Contact us for more information.